Modernizing Canada's Privacy Act

The Government of Canada has begun a targeted engagement with expert stakeholders. Find out more.

Why we are reviewing the Privacy Act

Our world has changed dramatically since Canada's Privacy Act came into force in 1983. When the Act was first introduced, information was still mainly stored on paper. After 35 years of technological advances and social change, Canadians' expectations of how federal institutions use, share and store their personal information have changed. The Act is federal legislation focussed on the protection of personal information held by the federal government and federal public-sector institutions.

In 2016, the House of Commons Standing Committee on Access to Information, Privacy and Ethics Committee (ETHI Committee) studied this topic. Experts and stakeholders who appeared before this committee raised concerns that the basic framework in the Privacy Act is overdue for a thorough review. The Office of the Privacy Commissioner also provided public opinion research suggesting that this perception is widespread among Canadians.

Given these societal and technological shifts, the Government of Canada is committed to reviewing our federal public sector privacy law to ensure it keeps pace with these changes. In its response to the ETHI Committee's report following its study on Privacy Act reform, the Government announced it would be leading a review of the Act, and would engage experts, organizations, advocates, and Canadians, as the review progresses.

What others are doing

Other countries have responded to these technological and societal changes with new laws to protect their citizens' personal information. These laws are sometimes called “data protection” laws.

In May 2018, the European Union brought into force a new privacy regime for all member jurisdictions called the General Data Protection Regulation (GDPR). The GDPR imposes privacy protection requirements for personal information within and flowing out of the European Union. Other countries, such as Australia, New Zealand and the United Kingdom, have also made changes to their own data protection frameworks.

Many Canadian provinces have also renewed their public sector privacy laws, and some have introduced specific health information privacy statutes.

Privacy protection in Canada

The Privacy Act is a key piece of Canada's overall legal framework for protecting privacy. It is federal legislation focused on the protection of personal information held by the federal government and federal public-sector institutions. However, Canadian law protects various privacy interests in many ways.

The Charter of Rights and Freedoms

Although the word “privacy” does not appear in the Canadian Charter of Rights and Freedoms, the Charter protects certain privacy interests. For example, section 8 of the Charter protects personal, territorial and informational privacy through the right to be free from unreasonable search and seizure by the government.

The Criminal Code

The Criminal Code also includes a number of criminal offences that protect privacy interests, such as the offense against voyeurism.

Quebec's Charter, Code civil and privacy torts

Section 5 of the Quebec's Charter states that “every person has a right to respect for his private life”. Its Code civil has provisions protecting privacy rights, and in some Canadian jurisdictions, courts have recognized common law privacy torts for intrusions into private affairs and spaces, and for the wrongful publication of private information. Some provinces have also enacted specific laws creating statutory privacy torts.

Provincial personal information protection laws

In addition, provincial and territorial governments have enacted statutes specifically aimed at protecting personal information, including in the public sector and the private sector. Some provinces have passed legislation aimed at protecting personal health information, and some have passed legislation that applies to municipalities.

The private sector and privacy: Personal Information Protection and Electronic Documents Act

Since 2001, at the federal-level, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out the ground rules for how organizations engaged in commercial activities must handle personal information. This law now generally applies to all private-sector organizations that collect, use or disclose personal information in the course of commercial activities in Canada. In addition, provinces can also pass their own substantially similar private sector personal information protection statutes, and many have.

Innovation, Science and Economic Development Canada is currently undertaking a review of PIPEDA as part of its digital and data transformation vision.

A modern approach to privacy in Canada

We understand that individuals need to trust that the Government is a responsible steward of the personal information it handles. As Canadians, you may want to know:

  • the Government has thought about how to protect your privacy
  • how your personal information could be used and shared for other purposes
  • your information is accurate and secure
  • you can access your information in a timely manner
  • who is responsible for your data
  • what the Government is doing to prevent privacy violations, and what happens if there is a privacy breach.

At the same time, the Government needs to use personal information to govern effectively. As taxpayers and users of government services, Canadians also expect the Government to work efficiently and to be connected.

By complying with strong, but flexible, rules and principles, backed by meaningful governance and oversight, a modernized Privacy Act could lay the foundation for Canadians' trust in how the Government treats their personal information. A modernized Act could, therefore, set out an ethical framework to guide the Government on how to carefully and responsibly manage personal information.

Goals of a modern Privacy Act

Given modern expectations about privacy and government, a modernized Privacy Act should better:

  • respect you and the value you give to your personal information
  • support efficient, adaptable, and innovative approaches to governance
  • demonstrate meaningful and transparent accountability, including effective oversight

With these three guiding pillars, a modernized Privacy Act could help achieve the following goals:

Respect for context

You engage with the Government in a number of different contexts, many of which involve sharing your personal information. Depending on the context, you may have specific expectations as to how the Government should access or use your personal information.

In many cases, you provide your personal information to the Government because you want to receive a particular service or benefit, such as:

  • getting a passport
  • seeking employment insurance benefits
  • participating in old age security programs
  • applying for grants

In other contexts, you are obligated to provide the Government with your personal information, such as when you file an income tax return.

Modernized privacy legislation could better take into account individuals' expectations about privacy and how the Government manages their personal information in different contexts.

Technological neutrality

A modern Act could be technologically neutral so the Government could develop individualized and contextually sensitive approaches to compliance using a range of technologies.

Effective support and oversight

A modern Privacy Act could also provide Canada's privacy regulator, the Privacy Commissioner of Canada, with a more proactive and educational role, and with improved tools and powers it needs to effectively troubleshoot and oversee compliance.

Working with other legal regimes

A modern Act could also take into account the principles and rules in data protection laws in other jurisdictions. This would help position the Privacy Act, and Canada, as part of a broader and more modern data protection network, including Europe's General Data Protection Regulation.

Designing with privacy in mind

A modernized Privacy Act could recognize the importance of thinking about privacy protections at the outset of a project or initiative. Building privacy protection in at the design stage would include anticipating users' needs, and proactively responding to those needs, in order to offer enhanced and trustworthy services and user experiences.

Digital transformation

Digital transformation presents opportunities for greater innovation and innovative service delivery in the public interest. A modernized Act could be an important part of the Government's digital transformation and could support the protection of personal information held by the Government. Individuals expect better digitally enabled services and results, while their personal information is protected.

Next steps

As a next step, the Government plans to engage expert stakeholders to ask for their views and feedback on technical and legal considerations to consider in modernizing the Privacy Act. This targeted technical engagement will help us refine proposals for changes to the Act. Eventually, we would like to engage the broader Canadian public as we work to develop more concrete proposals for potential amendments to the Act.

Date modified: