Year in review: top five Canadian privacy law developments

 In an increasingly data-driven world, it’s more important than ever that Canadian employers stay up-to-date on any and all developments on the privacy law front. Photo credit: Pexels/Ingo Joseph


This past year saw many developments in the area of privacy law that underscored the need of organizations to keep up with a data-driven world. This article summarizes the top five developments from 2022, which other than the trilogy of Ontario cases occurred in the federal jurisdiction.

It remains the case that in Ontario our only privacy legislation applies to personal health information protected under the Personal Health Information Protection Act (“PHIPA”) – applicable to public-sector organizations (e.g., hospitals), private businesses (e.g., pharmacies, long-term care homes), and health care professionals (e.g., doctors).

The Five Developments

  1. On June 1, 2022, the Office of the Privacy Commissioner of Canada (“OPC”) released findings from an investigation against the Tim Hortons app after discovering that it extensively tracked the exact or “granular” locations of its users, which is sensitive personal information within the meaning of Personal Information Protection and Electronic Documents Act (“PIPEDA”). 

The OPC found that the granular data collected through the app was not used by Tim Hortons for the disclosed intended purpose for which it was collected (i.e., targeted marketing), and unacceptable in the frequency and amount of sensitive data collected. 

The OPC further found that the consents gathered from app users for the collection of such data were obtained without proper disclosure, as users were unaware that the app tracked data even when not being used (i.e., uninformed consents). 

Additionally, the OPC found that Tim Hortons had inadequate contractual protections in place with a third-party service provider that assisted with collecting such data.

  1. On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, also known as theDigital Charter Implementation Act, 2022 (“Bill C-27) was introduced. It was raised for debate at second reading in the House of Commons on November 4, 2022 and received another debate at second reading on November 28, 2022.   

Bill C-27 seeks to modernize and strengthen Canada’s private sector privacy legislation, including through introducing: 

– a new Personal Information and Data Protection Tribunal (the “Tribunal”) to review decisions issued by the OPC and impose fines and administrative monetary penalties.

– a right for individuals to bring an action for damages after suffering a loss or injury due to an organization’s non-compliance.  

– closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Québec’s privacy reforms introduced by the recently-enacted Bill 64. Meaning, Canadian businesses would be able to transfer personal information without additional data protection safeguards and make it easier to do business in the EU and throughout Canada.  

  1. As part of Bill C-27 Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (the “AI Act”), was introduced on June 16, 2022. The AI Act is now proceeding on its own separate from Bill C-27.

If enacted the AI Act would apply to organizations that design, develop, deploy, or manage “high impact” AI systems and would focus on preventing biased output (as it relates to prohibited grounds of discrimination under the Canadian Human Rights Act), physical and psychological harm to individuals, property damage, or economic loss. To do so, the AI Act would: 

  • prohibit certain practices involving data and AI systems that could result in serious harm to individuals; 
  • impose assessments for organizations to determine whether their systems are classified as “high-impact”; 
  • put in place requirements that relate to the transparency, anonymization of data, and obligations to self-report to the Minister; and
  • be enforced through Federal Court orders and administrative monetary penalties. 
  1. On November 25, 2022, the Ontario Court of Appeal (the “OCA”) rejected the application of the tort of intrusion upon seclusion as part of class action lawsuits against companies who suffered a third-party data breach in the trilogy of cases of Winder v. Marriott International, Inc., Owsianik v. Equifax Canada Co., and Obodo v. Trans Union of Canada, Inc. 

Of note, the OCA in Winder expressly precluded the certification of class actions in cases where a third-party hacker accessed stored personal information of customers but there was no evidence of resulting harm to those customers. In coming to this conclusion, the OCA made it clear that: 

– the tort of intrusion upon seclusion only applies to “intruders” and not “constructive intruders”; 

– it was the hacker’s conduct in illegally obtaining the stored information and not the company’s alleged failure to protect it that constituted the “intrusion”; and 

– a company’s recklessness with respect to the storage of the information, for example, would not satisfy the conduct requirement of the tort of intrusion upon seclusion. 

  1. On December 1, 2022, Bill C-26, which includes the newly drafted Critical Cyber Systems Protection Act(“CCSPA”) was raised for debate at second reading in the House of Commons.

The CCSPA is a major development in Canadian cyber security law and if passed would put in place filing and self-reporting obligations as part of a new cybersecurity compliance regime essential to combatting cybercrime for federally-regulated private industries, including the Canadian telecommunications system, banking systems, and energy and transportation industries. Under the same new enforcement powers would allow the Governor-in-Council to impose consequences for contravention or non-compliance, including fines of up to $15 million and potential imprisonment. 


It is becoming increasingly important to ensure that organizations invest in up-to-date privacy management procedures and processes for protecting personal information and ensuring that they are in compliance with Canadian privacy obligations in the operation of their businesses.

Your donations help us continue to deliver the news and commentary you want to read. Please consider donating today.

Donate Today


  • Politics

  • Sports

  • Business