Federal and provincial privacy laws in Canada do not expressly distinguish between ‘cybersecurity’, ‘data protection’ and ‘cybercrime’.
The Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), Canada’s federal private sector privacy law, defines a ‘breach of security safeguards’ as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards” (Section 2(1)).
Under Section 26.2(b) of PIPEDA, if a province’s legislation has been deemed substantially similar to Part 1 of PIPEDA, then the organisations to which provincial legislation applies may be exempt from the application of Part 1 in respect of the collection, use and disclosure of personal information in that province. The provinces of British Columbia, Alberta and Quebec have private sector privacy laws deemed substantially similar to PIPEDA. Federal works, undertakings or businesses such as banks, telecommunications companies and transportation companies continue to fall under PIPEDA. Please see:
- Organizations in the Province of Québec Exemption Order (SOR/2003-374);
- Organizations in the Province of British Columbia Exemption Order (SOR/2004-220); and
- Organizations in the Province of Alberta Exemption Order (SOR/2004-219).