Bills C-13 and S-4, the two major privacy bills currently working their way through the legislative process, both reached clause-by-clause review yesterday, typically the best chance for amendment. With Daniel Therrien, the new privacy commissioner, appearing before the C-13 committee and the sense that the government was prepared to compromise on the controversial warrantless disclosure provisions in S-4, there was the potential for real change. Instead, the day was perhaps the most disastrous in recent memory for Canadian privacy, with blown chances for reform, embarrassingly bogus claims from the government in defending its bills, and blatant hypocrisy from government MPs who sought to discredit the same privacy commissioner they were praising only a few days ago.
Latest Posts
The Fear-Free Guide to Canada’s Anti-Spam Legislation: Answers to Ten Common Questions
The imminent arrival of Canada’s anti-spam legislation has sparked considerable fear that might lead the uninitiated to think that sending commercial electronic messages will grind to a halt on July 1st, when parts of the law kick in. The reality is far less troubling. For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so. Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.
This post is not legal advice, but it seeks to unpack the key requirements associated with the commercial electronic messages provisions in CASL by answering the ten questions organizations should ask (and answer). Note that there are additional rules associated with software that do not take effect until next year. While this is not designed to be comprehensive – some organizations will face unique issues – it provides a starting point for the key requirements, exceptions, and application of the law. The law itself can be found here. The Industry Canada regulations here and the CRTC regulations here.
The primary takeaways? If you send commercial electronic messages, you need explicit consent along with an unsubscribe mechanism and contact information. There are many common sense exceptions to this general rule, however, including personal messages, most business-to-business messaging, and most messages sent to recipients outside of Canada. Moreover, if you do not have explicit consent, the government has implemented a transition period that grants you three years to get it.
Proposed Data Breach Disclosure Rules Leave Too Many Canadians in the Dark
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.
My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.
Rogers’ Shocking Admission: It Does Not Track Disclosures of Subscriber Information to Authorities
Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.
Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities’ requests were granted, the company stated:
Why Has the Canadian Government Given Up on Protecting Our Privacy?
In recent years, it has become fashionable to argue that Canadians no longer care about their privacy. Supporters of this position note that millions of people voluntarily post personal information and photos about themselves on social media sites, are knowingly tracked by Internet advertising giants, and do not opt-out of “targeted” advertising from telecom companies. Yet if the past few months are any indication, it is not Canadians that have given up on privacy. It is the Canadian government.
My weekly technology law column (Toronto Star version, homepage version) notes the public response to the tidal wave of stories regarding widespread surveillance, the 1.2 million government requests to telecom companies for customer information, and the growing number of security breaches suggest that many Canadians are deeply concerned about the protection of their privacy. However, many feel helpless in the face on recent revelations and wonder whether the government is prepared to tighten privacy rules and establish stronger oversight.
Recent Posts
The Law Bytes Podcast, Episode 232: What Will Canadian Digital Policy Look Like Under the New Liberal Carney Government? 
The Law Bytes Podcast, Episode 231: Sara Bannerman on How Canadian Political Parties Maximize Voter Data Collection and Minimize Privacy Safeguards 
The Law Bytes Podcast, Episode 230: Aengus Bridgman on the 2025 Federal Election, Social Media Platforms, and Misinformation 
The Law Bytes Podcast, Episode 229: My Digital Access Day Keynote – Assessing the Canadian Digital Policy Record 
Queen’s University Trustees Reject Divestment Efforts Emphasizing the Importance of Institutional Neutrality
