Privacy Law.

What Privacy Law Is

Canada's privacy regime is built on a hybrid statutory and common-law model, combining federal and provincial data protection laws with judge-made torts that protect personal dignity and autonomy. The principal statute, the Personal Information Protection and Electronic Documents Act (PIPEDA)SC 2000, c. 5. Federal private-sector privacy statute. Schedule 1 codifies the ten Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance., governs private-sector organizations engaged in commercial activities across Canada, except in provinces with substantially similar legislation. Those provinces are Alberta, British Columbia, and Québec.

Each Canadian privacy law embodies the Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles shape how organizations collect, use, and disclose personal information in a manner consistent with what a reasonable person would consider appropriate under the circumstances.

Violations of these statutes can result in regulatory investigations, civil suits, and fines of up to $100,000 under PIPEDA. In addition to statutory enforcement, courts have recognized a suite of privacy torts, including intrusion upon seclusion and public disclosure of private facts, that provide recourse even where no legislation applies.

The Legislative Landscape

Canada's privacy framework is built on a layered and cooperative system of federal, provincial, and sector-specific privacy laws that govern how personal information is collected, used, and disclosed across the country. Together, these laws form one of the most comprehensive systems of personal information protection in the world.

While the Canadian Charter of Rights and Freedoms guarantees basic expectations of privacy under sections 7 and 8, the Charter mainly protects against state intrusion. The modern body of privacy legislation establishes clear statutory rights and obligations for private organizations, health custodians, and public institutions that handle personal information.

Public, Private, and Health Sector Privacy Laws

Canada's privacy statutes can be grouped into three main categories, each addressing a distinct sector. The table below summarizes the scope and the principal governing statute in each.

Each of these frameworks sets out key requirements for collection, consent, disclosure, safeguards, accuracy, retention, and access. They also establish independent oversight bodies, the Privacy Commissioners, that investigate complaints and issue recommendations or binding orders.

Federal and Provincial Interplay in Privacy Protection

Canada's privacy legislation reflects its federal constitutional structure. The federal government's authority to legislate privacy arises under its trade and commerce power, while the provinces regulate under property and civil rights. This overlap allows both levels of government to enact privacy laws that coexist. PIPEDA applies to private-sector organizations engaged in commercial activity, while Alberta's and British Columbia's Personal Information Protection Acts cover businesses operating solely within those provinces. Québec's Act Respecting the Protection of Personal Information in the Private Sector provides a similar regime under civil law principles.

Unlike the sector-based approach found in the United States, Canadian privacy law follows a comprehensive, principles-based model. Emerging provincial reforms, such as Québec's Law 25 and Ontario's modernization efforts, continue to align Canadian privacy protection with international standards like the EU's General Data Protection Regulation (GDPR). The result is a harmonized system of rules designed to ensure reasonable, transparent, and accountable handling of personal information across sectors.

PIPEDA Compliance Programs

Businesses operating in Canada must treat privacy compliance as a core governance issue. The Office of the Privacy Commissioner of Canada (OPC) has issued extensive guidance emphasizing layered privacy notices, context-sensitive consent, and proactive communication about data uses involving profiling or automated decision-making. Recommended measures include:

• Mapping personal data flows and identifying lawful bases for processing.
• Drafting layered privacy notices in plain language and updating them annually.
• Implementing breach response protocols aligned with the Breach of Security Safeguards Regulations (SOR/2018-64)SOR/2018-64. Mandatory breach reporting to the OPC and notification of affected individuals where there is a real risk of significant harm; record-keeping obligations apply to all breaches, reportable or not..
• Conducting privacy impact assessments for cross-border transfers and new technologies.
• Engaging with the OPC's interpretation bulletins on consent and accountability.

Digital Consent and Transparency in Data Practices

The notion of meaningful consent sits at the heart of Canadian privacy law. Originally designed for an era of paper records, the traditional "notice and choice" model struggles in today's complex data environment. Modern technologies, from cloud services and the Internet of Things to algorithmic profiling, require consent mechanisms that are comprehensible, prominent, and ongoing.

Recent modernization proposals to PIPEDA, set to become the Consumer Privacy Protection Act, seek to strengthen consent by requiring disclosure of automated decision logic and ensuring that individuals have real control over their personal information.

Cross-Border Data Transfers

Canadian law allows personal data to be transferred abroad for processing, provided the transferring organization ensures a comparable level of protection through contractual, technical, and procedural safeguards. While Parliament chose not to impose EU-style restrictions, the OPC expects organizations to notify individuals if their data may be processed outside Canada and to identify applicable foreign laws.

Alberta's PIPA mandates explicit notice where service providers operate outside the country, whereas Québec's reformed privacy law (Law 25) requires a written assessment of privacy risks before any cross-border communication. In practice, privacy lawyers advise clients to incorporate cross-border transfer clauses, breach notification triggers, and audit rights into service agreements to ensure defensible compliance and mitigate liability exposure.

Organizational Accountability

Canadian privacy laws strive to balance individual privacy with legitimate organizational and societal interests such as fraud prevention, security, and business operations. Statutes include specific exceptions for law enforcement, contractual necessity, emergencies, and legal proceedings. The guiding standard is reasonableness: organizations must collect and use personal information only for purposes that a reasonable person would consider appropriate. This test ensures that privacy rights remain adaptable and contextual rather than absolute.

Access, Correction, and Complaints

Under the Fair Information Principles and PIPEDA's Division 1, individuals have the right to access personal information held about them, challenge its accuracy, and withdraw consent. Organizations must respond within 30 days, subject to limited exceptions. Refusals can be reviewed by the OPC or the relevant provincial commissioner.

The OPC's online resources provide templates for access requests and complaints, emphasizing transparency and accountability. Repeated non-compliance can lead to naming-and-shaming reports, compliance agreements, or Federal Court orders compelling compliance and awarding damages.

PHIPA Access and Correction

Ontario's Personal Health Information Protection Act (PHIPA)SO 2004, c. 3, Sch. A. Ontario's health-sector privacy statute. Governs collection, use, and disclosure of personal health information by health information custodians. provides specific rights for individuals seeking access to or correction of their personal health information. Health information custodians must respond to access requests within prescribed timelines and may only refuse access in limited circumstances, such as where disclosure would pose a serious risk to treatment or safety.

Individuals who are denied access or correction may file a complaint with the Information and Privacy Commissioner of Ontario, which has authority to review custodian decisions, order compliance, and award costs in appropriate cases.

Privacy Complaints and IPC Appeals

Privacy complaints can be filed with federal or provincial privacy commissioners depending on the jurisdiction and sector involved. The complaint process typically begins with an attempt at mediation or early resolution. If unsuccessful, the matter proceeds to investigation and, where warranted, a formal report with findings and recommendations.

In Ontario, individuals may appeal IPC decisions to the Divisional Court. Federal PIPEDA complaints may be taken to Federal Court where the OPC has issued a report of findings. Legal representation is strongly advised for navigating these processes, particularly where systemic issues or significant damages are at stake.

Data Breach Response

Under PIPEDA's Breach of Security Safeguards Regulations, organizations must report breaches involving personal information to the OPC where there is a real risk of significant harm. Affected individuals must also be notified, and organizations must maintain records of all breaches, whether reportable or not.

An effective breach response moves through three stages:

1. Contain and assess. Immediately contain the breach and assess its scope. Identify what information was affected, how many individuals are involved, and how the breach occurred.
2. Notify. Report to the OPC and notify affected individuals within prescribed timelines. Provincial health information laws such as PHIPA impose similar obligations on health information custodians.
3. Document and remediate. Document the breach and all remedial measures taken. Review security safeguards and implement corrective measures to prevent recurrence.

Coordination with legal counsel throughout this process is essential to manage regulatory engagement, assess potential claims from affected individuals, and preserve solicitor-client privilege over internal investigation materials.

Remedies and Damages

Under both statute and common law, damages for privacy violations may include general damages for emotional distress and loss of dignity, aggravated damages for humiliation or reputational harm arising from the manner of the breach, and punitive damages for malicious or high-handed conduct that warrants deterrence beyond compensation. Courts may also issue injunctions to prevent further disclosure or order the destruction of misused data.

In Jane Doe 72511 v. N.M., 2018 ONSC 66072018 ONSC 6607. $100,000 in combined damages for the unauthorized publication of intimate images. The court's emphasis on deterrence and expressive harm has shaped the Canadian approach to privacy damages across both statutory and tort-based claims., the court emphasized deterrence and expressive harm in awarding $100,000 in combined damages for the unauthorized publication of intimate images, signalling that privacy violations are not merely technical breaches but affronts to human dignity. This decision has shaped courts' approach to privacy damages across both statutory and tort-based claims, reinforcing the availability of significant non-pecuniary awards.

Litigation Strategy

Privacy litigation requires careful assessment of available causes of action, whether statutory or tort-based. Counsel should evaluate:

• Whether the matter falls under PIPEDA, provincial privacy legislation, or health information laws.
• The viability of privacy torts such as intrusion upon seclusion or public disclosure of private facts.
• The strength of evidence for proving breach, harm, and causation.
• Whether regulatory complaint processes should precede or accompany civil litigation.
• The potential for class action certification where systemic breaches affect multiple individuals.

In Douez v. Facebook Inc., 2017 SCC 332017 SCC 33. Forum-selection clause favouring California refused. Privacy's quasi-constitutional character in Canadian law; contractual attempts to strip individuals of Canadian privacy protections will face close scrutiny., the Supreme Court of Canada refused to enforce a forum-selection clause favouring California, citing privacy's quasi-constitutional character in Canadian law. This ruling confirms that Canadian courts assert jurisdiction over privacy claims with a real and substantial connection to Canada, even against foreign defendants, and that contractual attempts to strip individuals of Canadian privacy protections will face close scrutiny.

Parallel to the statutory regime, Canadian courts have recognized a suite of common-law privacy torts following the taxonomy first proposed by William Prosser and adapted to Canadian jurisprudence. These torts fill gaps left by legislation and offer remedies for intentional intrusions and disclosures that violate personal dignity. The table below summarizes the leading authorities and the shape of each cause of action.

Intrusion Upon Seclusion

The Ontario Court of Appeal formally recognized the tort of intrusion upon seclusion in Jones v. Tsige, 2012 ONCA 322012 ONCA 32 at para 71. Three-element test for intrusion upon seclusion. Damages are ordinarily measured by a modest conventional sum (in the range of $20,000) absent aggravating features. The tort cannot be used to sidestep defamation defences such as qualified privilege.. The plaintiff must establish three elements:

1. The defendant's conduct was intentional or reckless.
2. The defendant invaded, without lawful justification, the plaintiff's private affairs or concerns.
3. A reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

Proof of harm to a recognized economic interest is not an element of the cause of action; damages are ordinarily measured by a modest conventional sum in the range of $20,000. The Court of Appeal in Tsige identified five factors relevant to quantum: the nature, incidence, and occasion of the wrongful act; its effect on the plaintiff's health, welfare, social, business, or financial position; any relationship between the parties; any distress, annoyance, or embarrassment suffered; and the conduct of the parties before and after the wrong, including any apology or offer of amends. The tort cannot be used to sidestep defamation defences like qualified privilege, and courts will scrutinize whether a claim framed as intrusion is in substance one about reputation.

Public Disclosure of Private Facts

The Ontario Superior Court first recognized this tort in Jane Doe 464533 v. D. (N.), 2016 ONSC 541 (a default judgment that was later set aside on procedural grounds), and reaffirmed it in Jane Doe 72511 v. N.M., 2018 ONSC 66072018 ONSC 6607. Reaffirmed the elements of the tort and awarded $50,000 in general damages, $25,000 in aggravated damages, and $25,000 in punitive damages, totalling $100,000. The court treated the publication of intimate images without consent as a paradigm case for the tort., drawing on the formulation in the Restatement (Second) of Torts at section 652D. The plaintiff must establish four elements:

1. The defendant publicized an aspect of the plaintiff's private life.
2. The plaintiff did not consent to the publication.
3. The matter publicized, or the act of publication, would be highly offensive to a reasonable person.
4. The publication was not of legitimate concern to the public.

The threshold concept is publicity: the disclosure must have been communicated on a sufficiently large scale rather than to a small number of individuals. In Jane Doe 72511, the court awarded $50,000 in general damages, $25,000 in aggravated damages, and $25,000 in punitive damages, totalling $100,000, on facts involving a former partner posting an intimate video to an adult website without consent. The tort is not limited to intimate images; embarrassing or otherwise private behaviour may also ground a claim where the publication crosses the highly-offensive threshold and is not of legitimate public concern.

Publicity Placing the Plaintiff in a False Light

The Ontario Superior Court formally adopted this tort in Y. (V.M.) v. G. (S.H.), 2019 ONSC 72792019 ONSC 7279, also reported as Yenovkian v. Gulian. Adopts the Restatement (Second) of Torts formulation of the false-light tort. Defamation is not required. Substantial general and punitive damages were awarded on facts involving cyberbullying through websites, social media, and crowdfunding pages., drawing on the formulation in the Restatement (Second) of Torts. The plaintiff must establish two elements:

1. The false light in which the plaintiff was placed would be highly offensive to a reasonable person.
2. The defendant had knowledge of, or acted in reckless disregard as to, the falsity of the publicized matter and the false light in which the plaintiff would be placed.

The tort sits between defamation and the disclosure-based privacy torts and captures three recurring fact patterns: falsely attributing an opinion or utterance to the plaintiff (for example, putting an author's name on something they did not write, or fabricating a product testimonial); using the plaintiff's image to illustrate something with which they have no real connection (a stock photo of a person used to illustrate a piece on negligent parenting, addiction, or marital infidelity); and including the plaintiff's name or image in a "rogues' gallery" so that the public infers shared character. Defamation is not required; what matters is that a reasonable person would find the misrepresentation highly offensive. The tort has clear application to deepfake material, much of which falls short of defamation but maps cleanly onto the false-light test.

Appropriation of Personality

The tort of appropriation of personality prohibits the unauthorized commercial exploitation of an individual's name, likeness, voice, or image. It was first recognized in Canada in Krouse v. Chrysler Canada Ltd., [1973] O.J. No. 2157 (C.A.), and applied in Athans v. Canadian Adventure Camps Ltd., [1977] O.J. No. 2417 (H.C.J.), where the court awarded damages where a stylized drawing based on a photograph of a professional water-skier was used to advertise a water-skiing camp. The Ontario Superior Court reaffirmed the elements of the tort in Hategan v. Frederiksen, 2021 ONSC 8742021 ONSC 874 at para 43. Restates the three elements of wrongful appropriation of personality. The court held that the claim failed because there was no evidence of commercial or economic gain, or that the defendant used the plaintiff's name for commercial endorsement purposes.. The plaintiff must establish three elements:

1. Use of the plaintiff's personality.
2. Without consent.
3. For commercial gain.

The tort protects two distinct interests: the right of a person who desires privacy not to be the object of publicity for another's commercial ends without consent, and the exclusive right of publicity in a person's persona. It is not limited to celebrities; the Alberta courts have applied it to a professional whose name was used on forged financial documents to lend them credibility (Hay v. Platinum Equities Inc., 2012 ABQB 204). Defences include consent, public interest (the tort does not protect against journalistic, biographical, or other informational publication in the public interest), legal authority, fair comment, and privilege.

Statutory Privacy Torts and Remedies

Several provinces (Manitoba, Saskatchewan, Newfoundland and Labrador, and British Columbia) codify privacy torts under their respective Privacy Acts. Plaintiffs must show a wilful and unjustified violation of privacy, and defendants may rely on good-faith or legal authority defences. Remedies include damages, injunctions, and orders for the delivery or destruction of unlawfully obtained information. Courts routinely tailor remedies to the seriousness of the invasion, awarding aggravated and punitive damages where conduct is malicious or repeated.

Practical Steps for Organizations

Organizations that treat privacy as a core governance issue rather than an afterthought tend to avoid the breach-and-crisis cycle. Core operational practices include mapping personal data flows and identifying lawful bases for processing, drafting layered privacy notices in plain language and updating them annually, implementing breach response protocols aligned with regulatory requirements, conducting privacy impact assessments for cross-border transfers and new technologies, training staff on privacy obligations and incident response procedures, and conducting regular audits of data handling practices and third-party vendors.

Practical Steps for Individuals

Individuals can enhance their own privacy position by exercising their right to access and correct personal information held about them, filing complaints with privacy commissioners when consent or access rights are denied, reviewing social-media privacy settings, and seeking legal advice promptly when facing online harassment, non-consensual image sharing, or data misuse. The Canadian courts have made clear that both compensatory and symbolic damages are available, and regulator consumer guidance pages provide tools to lodge complaints and request the removal of harmful online content.

Balancing Privacy Rights and Organizational Necessity

Canadian privacy laws strive to balance individual privacy with legitimate organizational and societal interests such as fraud prevention, security, and business operations. Statutes include specific exceptions for law enforcement, contractual necessity, emergencies, and legal proceedings. The guiding standard is reasonableness: organizations must collect and use personal information only for purposes that a reasonable person would consider appropriate.

Where disputes arise, courts and privacy commissioners apply a contextual analysis that considers the nature of the information, the purpose of collection, the reasonable expectations of individuals, and the availability of less intrusive alternatives. This balanced approach reflects Canada's commitment to protecting privacy while enabling legitimate data use that benefits society as a whole.