By Tiyam Shiribabadi 

In this day and age, consumers are giving away information without realizing where it is being sent or how it is being protected. Have you ever provided your name and email for a mailing subscription or an e-receipt? Have you ever provided a company with your postal code? Have you ever opened your financial books and signed up to have your credit checked? The answer, more often than not, is yes.

Now, why is this relevant? Personal information becomes important when it can be used to identify who you are. The fact that organizations may be engaging in obscure privacy protection practices may be putting you at risk of scenarios such as identity theft, phishing, and other cyber crimes.

Consumer Privacy Protection Under the Current Legislation  

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the handling of personal information in the course of any commercial activity. PIPEDA particularly applies to the way commercial organizations collect, use, anddisclosepersonal information. 

Collection, use, and disclosure of consumers’ personal information must adhere to the ten following principles:

1.     Accountability:Organizations are requiredto appoint someone or a team to be responsible for their compliance with PIPEDA.

2.     Identifying Purposes:Organizations are obligated to disclose the purpose of collecting a consumer’s particular personal information. 

3.     Consent: Subject to some exceptions, a consumer’s consent is almost always required for the collection of personal information. 

4.     Limiting Collection: Only the personal information necessary for fulfilling the purpose disclosed by the organization must be collected, nothing more. 

5.     Limiting Use, Disclosure, Retention: Organizations cannot use your personal information for a different reason other than the purpose that was consented to. Additionally, personal information may only be preserved so long as it continues to serve the consented purpose. 

6.     Accuracy: Personal information must be as accurate and as up-to-date as possible. Thus, consumers can request to have their personal information corrected. 

7.     Safeguards: The security measures must reflect the sensitivity of the personal information. 

8.     Openness: Detailed policies and practices regarding the handling of personal information must be made public and readily available for consumers. 

9.     Individual Access: Consumers can request to have access to their personal information as well as be informed of the use and disclosure. 

10.  Challenging Compliance: Consumers have the ability to challenge an organization’s compliance with PIPEDA. Challenges should be addressed to the person accountable for privacy protection within the organization. 

Exceptions to Mandatory Consent  

In order for organizations to circumvent the requirement for your consent, organizations must meet the following three criteria:

  1. The personal information must be shared with to another organization. 
  2. The purpose of sharing a consumer’s personal information must be for investigating a potential or previously committed: 
    1. Breach of agreement
    1. Contravention of Canadian law
    1. Fraud
  3. It is reasonable to expect that receiving the consent of the individual would compromise the investigation.

Mandatory Notification of a Data Breach

A breach is defined as personal information that has been lost, given unauthorized access, or given unauthorized disclosure due to a breach of an organization’s security measures. When a breach may pose a significant risk of harm to even only one individual, the organization is required to record the breach, report the details to the Office of the Privacy Commissioner, and notify the individuals at risk. Failure to do so may lead to a fine.  

Consumer Recourses in the Event of a Breach

If you are a consumer who believes their personal information may be at risk, you may consider the following options:

  1. Directly address your concerns to the organization in question. 
  2. Call the Office of the Privacy Commissioner (OPC) for quick guidance. 
  3. Send the OPC your comments through an online form. 
  4. If the organization is unwilling to respond to your questions or comply with any of the principles discussed above, you may consider filing a formal complaint. The OPC investigates and completes a report for the purposes of resolving complaints and preventing future contraventions. 
  5. If you are seeking further justice, it may be in your best interest to seek the advice of a lawyer. Filing a complaint to the Office of the Privacy Commissioner may find the organization liable. However, bringing an action for damages may hold specificemployees accountable. Below, you can read more about the necessary elements for establishing the privacy tort of intrusion upon seclusion. 

Common Law Tort of Intrusion Upon Seclusion

In 2012, the Court of Appeal for Ontario was presented with an action against a BMO employee who used her workplace computer to access her common-law partner’s ex-wife’s personal banking at least 174 times over the course of 4 years. As a result, the Court of Appeal for Ontario recognized a new right of action for claiming a privacy tort known as “intrusion upon seclusion.” 

The tort of intrusion upon seclusion requires the following three elements:

1.     The defendant’s conduct must be intentional, which includes recklessness. 

2.     The defendant must have invaded the plaintiff’s private affairs or concerns without lawful justification.

3.     A reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish. 

The reasonable person standard is the conduct of a prudent person of ordinary intelligence in the particular circumstances of the case. The Court emphasized that intrusion upon seclusion will only apply to individuals with a reasonable expectation of privacy and not apply to individuals who are particularly sensitive or unusual about their privacy. As such, this tort may apply to intrusions upon financial or health records, sexual practises and orientation, employment, diary or private correspondence that can be described as highly offensive to the reasonable person. 

Finally, the tort of inclusion upon seclusion does not require proof of harm to a recognized economic interest. The Court of Appeal recognizes damages may be intangible in such cases. As such, the damages for this type of tort may only go up to $20,000.  The state of the law regarding data hacks and breaches is still developing. Until then, it is important to remain curious and exercise your right to have your questions answered before handing over your personal information. 

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.


You can learn more about PIPEDA and filing a complaint with the OPC through the links below.

PIPEDA Summary:

PIPEDA Complete Legislation:

OPC Contact Information:

OPC Online Form:

OPC Formal Complaint:

Jones v Tsige 2012: