By Melissa Lukings, JD Candidate, Faculty of Law, University of New Brunswick (UNB)
AND
Dr. Arash Habibi Lashkari, Assistant Professor and Research Coordinator, Canadian Institute for Cybersecurity (CIC), University of New Brunswick (UNB)
——

The end of 2019 marked the end of a decade that has been shaped by rapid technological development, advancing data-use research, and an increasingly hyper-connective global infrastructure. Cyberspace is playing an undeniably fundamental role in our day-to-day lives and in business operations around the world, and yet human error still accounts for 95 per cent of all data breaches. This makes it crucial for corporations, organizations, and governments to address and mitigate any potential threats to cybersecurity before such a breach occurs. As the online world around us changes and grows, it is necessary for our laws to evolve to remain effectual in this rapidly developing landscape. As we begin our journey into the new ‘20s, we must increase our collective awareness to better protect our privacy and the privacy of others and to mitigate any negative outcomes which may arise from failing to reduce all possible risk of secured data breaches.

Cybersecurity laws — including data protection and privacy legislation — are laws that aim to safeguard information technology and computer systems from privacy breaches and unauthorized activity as well as to compel corporations and organizations to protect their online infrastructure from cyber attacks. Potential cyber attacks include activities like security breaches by malware, viruses, worms, DOS attacks, unauthorized access to confidential or private information, access to intellectual property, protected information, personal information, metadata, etc. Unfortunately, there will always be antagonistic parties acting in hostile ways. The current threat to data stored in, or transmitted by, electronic mobile devices is at an all-time high which means that the list of people, not just hackers and crackers, that could potentially threaten the data kept by all organizations is long and diverse.

Canadian cybersecurity and data protection legislation is governed by a specific set of statutes and common law rules which are gradually evolving as the world we live in continues to change at an ever more rapid pace. While the legislative framework for these laws may appear overtly complex, failure to understand and comply with this framework and take the steps to reduce risks and the impact of such risks should they materialize, can result in harsh consequences, both legal and financial, for an individual or an organization living or operating in Canada. As a result, significantly more education and awareness of cybersecurity and the laws around online data protection is required for the protection of all individuals.

Framing the Canadian legal landscape

The two main sources of Canadian law are the legislation — including Acts and statutes — and the Common Law — which refers to previous judicial decisions in cases with similar facts and matters.

i) Statutory Law

Statutory law relates to the laws implemented through legislation. Statutes, or Acts, are laws made by the (federal) Parliament or the (provincial/territorial) Legislature. The implementation of a new statute can create a new law, or modify or nullify a previously existing law. The rules that address the details and practical applications of the law expressed in each Act are known as its Regulations. The authority to make Regulations in relation to an Act is assigned within that Act itself. Put simply, statutory law refers to the entirety of written laws that are passed through the body of the legislature and voted on by the members of the governing body. Acts passed by the Parliament of Canada and by provincial legislatures are the primary sources of law in Canada.

The Statutes of Canada are the federal legal code of Canada that contains the federal laws and statutes enacted by the Parliament of Canada and are enacted into their own unified code. Examples of relevant and familiar statutory laws and the years they were implemented include the Criminal Code of Canada (1985), the Privacy Act (1985), the Personal Information Protection and Electronic Documents Act (2000), and the Cannabis Act (2018).

ii) Common Law

As a common law country, Canadian law adheres to the doctrine of stare decisis, which is the principle in common law systems that a precedent — an earlier decision or ruling in a previous legal case — is either binding or persuasive for a court when deciding future cases with similar issues or established facts. The goal of the common law legal system in deciding cases based on precedent and according to consistent principled rules is that cases that have similar facts will yield similar and predictable outcomes, which will aid in maintaining the fundamental principles of justice.

In our specific Canadian context, the concept of stare decisis means that the lower courts must follow the decisions of the higher courts by which they are bound. As a localized example, all of the lower courts of New Brunswick are bound by the decisions of the New Brunswick Court of Appeal and, all British Columbia lower courts are bound by the decisions of the British Columbia Court of Appeal. However, no New Brunswick court is bound by decisions of any British Columbia court and no British Columbia court is bound by decisions of any New Brunswick court.

While no other provincial court is bound by the decisions made within another province’s court, the decisions which are made in the highest court of each province (the Provincial Court of Appeal) are considered to be persuasive, while not binding, in other provincial jurisdictions. So while a decision made in the New Brunswick Court of Appeal does not bind another province, it may still be considered by a court in another province as being persuasive and therefore useful in decision making on similar matters.

Only the Supreme Court of Canada — the federal court — has the authority to bind all courts in the country with a single ruling. As with matters such as cybersecurity, which is quickly evolving, or when there is little or no existing Canadian decision on a particular legal issue, it can become necessary to look to a non-Canadian legal authority for reference. In those situations, decisions of English (UK) courts and American (US) courts are often utilized persuasively.

Division of Jurisdictional Powers

There are three branches of government which are involved in creating, maintaining, and applying our legal structure: the legislative branch — which makes, alters, and revokes laws, the executive branch — which administers and enforces the laws, and the judicial branch — which makes, alters, and revokes laws, the executive branch — which administers and enforces the laws, and the judicial branch — which applies the laws to resolve disputes that cannot be settled outside of the court. The government in power makes and administers both legislative and executive branches of our laws, and the courts maintain the judicial branch of our legal structure by applying the laws when settling legal disputes. This is the same both federally and provincially, with each level of government being given the power to enact laws and make decisions on specific matters within the jurisdiction of that level of government.

A hierarchical flow chart illustrating the levels of court. Source: Canadian Department of Justice website.

In Canada, the Constitution Act, 1867 divided the authority to legislate statutes between the federal and provincial legislatures. Each legislature may only pass laws over specified areas; Section 91 of the Constitution Act, 1867 lists twenty-nine areas exclusive to the jurisdiction of the federal legislature and Section 92 lists sixteen areas subject to provincial legislation. In 1982, a number of additional provisions were added to the Constitution. These additional provisions are collectively referred to as the Constitution Act, 1982 and include the Charter of Rights and Freedoms and the procedure for amending the Constitution of Canada, among other important provisions.

Criminal Law

The criminal law in Canada falls under the exclusive legislative jurisdiction of the federal government, as per section 91(27) of the Constitution Act. This means that the Criminal Code of Canada and all criminal matters are made and dealt with under federal laws, which are created and modified through the Canadian Parliament. In a criminal case, the defendant is charged by the Crown (representing the Queen) for a violation of one or more provisions specified in the Criminal Code of Canada. The Criminal Code is a law that codifies most criminal offences and procedures in Canada. 

There are two types of criminal offences: summary offences and indictable offences. Summary offences are punishable by a fine of no more than $5,000 and/or 6 months in jail. Indictable offences have greater available penalties for indictable offences than for summary offences. A person may be criminally prosecuted for any offences found in the Criminal Code or any other federal statute containing criminal offences. In a criminal case, the court finds the facts of the case and renders a decision, at which point the defendant may be given a sentence and suffer a penalty such as a fine, a prison term, or conditions upon release. The “victim” in the criminal case does not receive any direct benefit from the court decision other than the satisfaction that justice was served.

Tort Law

Tort law provides compensation for people who have been injured or whose property has been damaged by the wrongdoing of others. A “tort” consists of a wrongful act or injury that leads to physical, emotional, or financial damage to a person in which another person could be held legally responsible. Canadian tort law is primarily judge-made law, with roots in the English tort. All torts require proof of fault in order to determine legal responsibility, however, fault is measured differently for the different types of tort.

There are two main branches of torts: intentional torts and unintentional torts. An intentional tort is when a person intends to achieve a particular outcome that results in injury to people or damage to property, whereas an unintentional tort such as negligence, occurs when there has been a lack of duty of care or foreseeability that results in injury to people or damage to property. Some intentional torts include actions like assault, battery, false arrest, false imprisonment, nuisance, trespass, and intentional infliction of mental distress. For negligence to be found, there must be an established duty of care, a violation of the standard of care, actual causation of the damage, reasonable foreseeability of the harm, and harm must have actually occurred.

As in our topic of cybersecurity, data protection, and privacy legislation, there are Criminal Code offences in Canada that could also qualify as tort law under the common law. The reasons for charging someone under criminal law may differ from the reasons for suing someone in tort under the common law. It is worth noting that to sue someone can result in a direct benefit to the complainant, whereas a criminal charge does not. As well, it becomes more difficult to benefit from suing someone in tort after they have already been criminally convicted of the same offence.

Currently, there is no consistent approach surrounding the tort of invasion of privacy in Canada. Four provinces, British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan have created a statutory tort. Ontario has recognized the existence of the tort of invasion of privacy called “intrusion upon seclusion”. British Columbia, on the other hand, has held that the tort does not exist in that province under the common law.

Determining what is private

Protected InformationUnprotected Information
Gender identificationInformation that is not about an individual
Race / national / ethnic originOrganizational information
ReligionInformation that has been rendered anonymous

(provided that it is not possible to link that data back to an identifiable person)

AgeNames of public servants
Marital statusPositions of public servants
Medical historyTitles of public servants
Education and employment historyBusiness contact information collected by an organization
Identifying numbers (e.g. SIN, drivers license)Government information
Financial information
DNA

Regulating relationships

The Individual

For individual relationships, the laws are guided by the statutory provisions and legislation (like the Criminal Code of Canada), tort laws (such as in civil division cases), and the presiding common law.

For an individual to access the information of another person (individual-individual), of an organization (individual-organization), or of a government (individual-government), they are limited in their right to access by the Criminal Code and associated tort laws.

In the case of an individual wanting to access and alter their own personal information as held by the government, they can request access to that information through the provisions given in the Access to Information Act.

The Organization

Organizations that operate fully or partially in Canada are bound by the Personal Information Protection and Electronic Documents Act (PIPEDA). For an organization to access the information of another organization (organization-organization), of an individual (organization-individual), or of a government (organization-organization), the organization is must operate according to the provisions set out in the PIPEDA. As with individuals, an organization can request access to their own information through the Access to Information Act.

For a government to access the information of an individual (government-individual), or of an organization (government-organization), they must operate according to the provisions given in the Privacy Act.

We can further illustrate the relevant legal provisions which apply to the different parties in a table, as given here:

Type of Data Being AccessedThe Individual / Person as the AccessorThe Organization as the AccessorThe Government as the Accessor
Individual DataIndividual-Individual

Criminal Code of Canada

and applicable previous common law cases

Organization-Individual

Personal Information Protection and Electronic Documents Act (PIPEDA)

Government-Individual

The Privacy Act

Organizational DataIndividual-Organization

Criminal Code of Canada

and applicable previous common law cases

Organization-Organization

Personal Information Protection and Electronic Documents Act (PIPEDA)

Government-Organization

Privacy Act

Governmental DataIndividual-Government

Access to Information Act

Organization-Government

Access to Information Act

Government-Government

***

Access to Information Act

Current applicable federal laws

The Privacy Act (R.S.C., 1985, c. P-21)

The Privacy Act is the legal framework governing personal information in the federal public sector. It explains how personal information must be protected in the relationships between individuals and the federal government. Applies to the Government’s collection, use and disclosure of personal information in the course of providing services and to an individual’s right to access and correct any personal information that the Government of Canada holds about them.

The Privacy Act applies to federal government institutions and services including, but not limited to, pensions, employment insurance, border security, tax collection and refunds, federal policing, public safety, etc. It applies to all of the personal information that the federal government collects, uses, and discloses. The Privacy Act does not, however, apply to political parties and political representatives and their collection, use and disclosure of information.

(II) Access to Information Act (R.S.C., 1985, c. A-1)

“The purpose of this Act is to enhance the accountability and transparency of federal institutions in order to promote an open and democratic society and to enable public debate on the conduct of those institutions.”

The fundamental key to the Access to Information Act is the “right of access”. This is overseen by the Information Commissioner of Canada.

(III) Criminal Code of Canada (R.S.C., 1985, c. C-46)

The Criminal Code is a law that codifies most criminal offences and procedures in Canada. The specific elements of each offence can be found in the wording of the offence as well as the case law interpreting it. The external elements typically require there to be an “act”, within some “circumstances”, and sometimes a specific “consequence” that is caused by the action, each of which must be proven by the Crown to be without a reasonable doubt.

(IV) The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

The purpose of the Personal Information Protection and Electronic Documents Act (PIPEDA) is to maintain trust and confidence in the marketplace. The main principles that have been identified under the PIPEDA are the principles of accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. For the purposes of this legislation, the law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

This Act also applies to all businesses that operate in Canada and handle personal information that crosses provincial or national borders, regardless of the province or territory in which they are based, including provinces with substantially similar legislation, and to federally regulated organizations that conduct business in Canada, such as airports, aircrafts and airlines, banks, transportation companies, telecommunications, offshore drilling, radio and televisions, etc. 

The PIPEDA does not apply to not-for-profit or charity groups or political parties and political associations unless they are engaging in commercial activities that are not central to their mandate and involve personal information.

Regulations such as the Breach of Security Safeguards Regulations, and the Secure Electronic Signature Regulations were all made under PIPEDA.

(V) Canada’s Anti-Spam Law (CASL) (S.C. 2010, c. 23)

“An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.”

An incredible 40 years have passed since the first spam email was sent out over the progenitor of the internet, the ARPANET, but spam communication remains a concern today. From emails promising millions of dollars, communication containing malicious attachments and nefarious links, to unwanted text messages, advertisements, and phone calls, all of these fall under the banner of spam. Having services and solutions that focus on blocking and mitigating the effects of spam is vital. Without a doubt, anti-spam laws that regulate unsolicited communication are one of the fundamental parts of cybersecurity law.

Notably, the Electronic Commerce Protection Regulations were also made under this Act.

Conclusion

To fully understand the relevant Canadian laws around cybersecurity, it is necessary to delve further into the individual legislation which has shaped the field of Canadian privacy law up until now. In the next instalment of this series on Canadian cybersecurity law, we will address the nature and implications of the Privacy Act and how this particular legislation influences our national cybersecurity landscape.