Click on the links below to skip to your preferred section:
Information technology law in Canada covers a wide range of legal rules and practices, many of which are discussed elsewhere in this Guide, related to activities and transactions involving software, hardware, databases, electronic communications, the internet and other information technologies.
This section is a summary of some of the key legal issues under Canadian information technology law that one needs to consider when doing business in Canada.
1. Information Technology Contracting in Canada
1.1 - What terms are generally negotiated?
In Canada, information technology contracts generally specify each party’s obligations (such as delivery, performance, payment and confidentiality obligations), their ownership and licence rights (including scope of use), acceptance tests and procedures, source code escrow (if applicable), representations, warranties, indemnities, limitations on liability and disclaimers. Disclaimers and limitation of liability clauses in information technology contracts can help minimize risks. However, it is important to note that the peculiarities in Canadian law may render such clauses unenforceable and require careful drafting and review by Canadian counsel.
1.2 - Assignments and licences
In Canada, assignments and exclusive licenses of intellectual property rights should be in writing and should be registered with the Canadian Intellectual Property Office. Note that an author’s moral rights, which exist under the Copyright Act, cannot be assigned but must be waived. See Section X, “Intellectual Property.”
1.2.1 - Are software licences assignable and capable of being sublicensed?
A software licence may be viewed by Canadian courts as “personal” and thus not be assignable or capable of being sublicensed to third parties unless the licence contains the express permission by the licensor to do so. In addition, confidentiality restrictions and limitations on licence scope can also affect the transferability of a licence agreement. This is an important point to keep in mind when doing due diligence in any Canadian commercial acquisition.
1.2.2 - Are shrink-wrap, click-wrap and browse-wrap licences enforceable in Canada?
Off-the-shelf computer programs that are accompanied by “shrink-wrap” licences and online “click-wrap” and “browse-wrap” agreements have received mixed enforceability before Canadian courts due to the requirement in Canadian law that both parties must assent to a contract in order for it to be binding on them. Such agreements have been enforced where the purchaser was impressed with the knowledge of the terms at the time of sale or the website owner has given proper notice of the terms before the parties entered into their agreement. They have also been enforced with proof of established prior business conduct or by the subsequent conduct of the user.
1.3 - Applicability of sale of goods legislation
1.3.1 - Are information technology purchases considered sales of goods?
If a transaction for the acquisition of information technology falls within the scope of provincial sale of goods legislation, certain rights and obligations will follow. Canadian courts tend to treat computer system acquisitions as sales of goods while transactions involving pure service, maintenance, custom training or programming are generally characterized as incidental to the sale of goods and therefore not subject to sale of goods legislation. Pre-packaged software supplied pursuant to a licence agreement is not subject to sale of goods legislation as no property in the software is transferred to the licensee. An exception occurs where the software is provided in conjunction with a larger transaction involving the sale of goods (e.g., hardware).
1.4 - Consumer protection
1.4.1 - How do consumer protection laws affect internet business and e-commerce?
Certain provinces have enacted consumer protection legislation that prescribes various requirements for internet sales contracts, such as the disclosure of relevant information and the delivery of a copy of the contract to the consumer. The federal government has also released a code of conduct for businesses engaging in electronic commerce transactions with consumers. See Section IV, “Trade and Investment Regulation.”
2. Intellectual Property Rights in Information Technology
2.1 - Copyright
2.1.1 - What information technology is protected by copyright?
Copyright is currently a primary source of protection for software programs, user manuals, databases, websites and other information technology works in Canada. However, to be the subject matter of copyright and consequently garner protection, the work must meet the requirements of the federal Copyright Act. The work must be “original,” meaning that it originated from the author and that skill and judgment were used in its creation. Further, it must be fixed. The fixation requirement with respect to information technology is generally easily met. Since December 30, 2022, the term of copyright protection in Canada has extended to 70 years; this 20-year extension is not retroactive.
Computer programs are protected under the Copyright Act as literary works. Canadian courts have recognized that the writing of a computer program uses sufficient skill and judgment and therefore computer programs will typically meet the minimal originality requirement to obtain protection under the Copyright Act. Updates or enhancements to software are subject to independent copyright protection. The fact that a computer program is created using well-known programming techniques or contains unoriginal elements may not be a bar to copyrightability if the program as a whole is original.
Computer hardware designs and plans have also received copyright protection in Canada. Further, any software code stored on the hardware may be subject to copyright. Computer chips may be subject to integrated circuit topography protection. See Section XI.2.2, “Integrated circuit topographies.”
In addition, courts in Canada have held that a web page’s look, layout and appearance are protected by copyright, as are underlying elements that would otherwise qualify for copyright protection, such as text or musical works.
Once the legal requirements are met, the copyright holder has a variety of rights including the right to reproduce, perform, communicate the work, or authorize any of those acts. An unauthorized act of making a work available online, including via download or stream, and any subsequent unauthorized streaming or downloading of a work, is considered to be infringing the author’s copyright.
2.1.2 - Who owns the copyright in information technology?
As discussed in Section X, “Intellectual Property,” the author of an information technology work is generally considered to be the first owner of the copyright in it. An exception to this rule is where the author is an employee and the work is created in the course of employment, (in the absence of an agreement to the contrary, the first owner of the copyright is the employer not the employee). A written assignment agreement is considered essential where works are created using non-employee third parties.
Certain discussions have commenced regarding whether an artificial intelligence (AI) system could be considered an author or the owner of a work. The Government of Canada published in July 2021 a consultation paper discussing the issue and requesting submissions. Over half of the submissions supported amendments to the Copyright Act. These proposed changes range from adding or removing specific provisions to broader clarifications, such as clarifying the definition of “author.” As it currently stands, Canadian jurisprudence suggests that an author must be a natural person (i.e., a human being) “who exercises skill and judgment” in creating the artwork.
A human could contribute enough skill and judgment to a work made using AI to be recognized as the author. However, it is unlikely this would apply to works solely generated by AI from brief human instructions. In 2021, the Canadian Intellectual Property Office registered a copyright in an artistic work for which one of two co-authors was an AI program for the first time. However, the registered owner remained a natural person, and the registration of this artistic work is currently under challenge before the Federal Court of Canada.
Currently, we are waiting to see what policy developments the Government of Canada undertakes following the submissions and what the Federal Court ruling will be.
2.1.3 - Can databases receive copyright protection? What criteria must be met?
Under the Copyright Act, databases are given protection as “compilations.” The Supreme Court of Canada has ruled that, to receive copyright protection, databases must be independently created by the author, and the selection and arrangement of the components that make up the database must be the product of an author’s exercise of skill and judgment. The exercise of skill and judgment must not be so trivial so as to be characterized as a purely mechanical exercise. However, “creativity,” in the sense of novelty or uniqueness, is not required. In addition, the creator of the database only acquires copyright in the database and not in the individual components of the database.
2.1.4 - What information technology is not protected by copyright?
Canadian copyright law does not protect the underlying mathematical calculations, algorithms, formulae, ideas, processes, or methods contained in information technology, only the expression of the same.
2.2 - Integrated circuit topographies
Integrated circuit topographies (or computer chips) are protectable in Canada by the Integrated Circuit Topography Act. See Section X, “Intellectual Property.”
2.3 - Trade secrets
Information technology, including but not limited to a formula, pattern, compilation, program, method, technique, or process, may also be protected under trade secret law where duties of confidence exist either in law or by virtue of an agreement. These duties must be reasonable to be enforceable. See Section X, “Intellectual Property.”
2.4 - Trademarks
Trademarks can be used to protect the goodwill associated with the name(s), slogan(s), symbol(s), and other marks used by a business in the information technology industry. Trademark rights arise under the federal Trademarks Act and at common law. Significant amendments were introduced to the Trademarks Act in 2014. A few minor amendments came into force in 2015, while the most important amendments came into force in June 2019. These amendments include the elimination of the requirement that a mark be used in Canada or abroad before registration. Trademark protection is limited to the goods or services listed in the application, making it important to consider what a business plans to use the trademark for. This includes software, apps and virtual goods. See Section X, “Intellectual Property.”
2.4.1 - How are domain names protected?
Domain names may garner trademark rights if they meet the statutory or common law requirements for trademarks. Thus, it has been possible to register a domain name as a word or standard character mark. Trademark owners may be able to obtain relief in Canada for cybersquatters under trademark law and the Canadian Internet Registration Authority’s alternative dispute resolution process (where the dispute is in respect of a .ca domain name). For generic domain names, the rules promulgated by the Internet Corporation for Assigned Names and Numbers will apply.
2.4.2 - What risks do metatags pose?
Canadian courts have held that the use of metatags (i.e., tags or keywords in a website’s coding used by search engines to sort web pages) that are confusingly similar to another person’s trademarks may constitute trademark infringement.
As for the use of keyword advertisement, such as Google AdWords, the Quebec Superior Court and the British Columbia Court of Appeal have found that bidding on a keyword is not in and of itself an infringement of the Trademarks Act. Such practice is generally seen as legitimate, providing greater choice to consumers, rather than creating confusion. However, sponsored links on search pages resulting from keyword advertisements can infringe the Trademarks Act if such links are confusingly similar to another person’s trademarks.
2.5 - Patents
In Canada, patents for information technology inventions must comply with the statutory requirements of the federal Patent Act.
On June 22, 2023, the Act to implement certain provisions of the budget tabled in Parliament on March 28, 2023 (Bill C-47) received royal assent. This introduced a patent term adjustment system that compensates patentees for unreasonable delays in granting patents. The system is scheduled to take effect on January 1, 2025, and applies to patent applications filed on or after December 1, 2020, that experienced such delays. See Section X, “Intellectual Property” for further information.
2.5.1 - Is software and other information technology patentable in Canada?
The Canadian Intellectual Property Office routinely issues patents for software-based inventions, particularly methods performed using computer-executable instructions that operate with some hardware elements or that focus on the systems, processes and methods used to achieve a solution to a specific technical problem, rather than on the algorithm per se. Furthermore, the Canadian Federal Court of Appeal ruled that an online method of doing business included patent-eligible subject matter. However, computer programs are not patentable in Canada if they only perform a series of mathematical calculations or if they relate to an abstract idea.
2.5.2 - Can an AI system be considered an inventor under Canadian patent law?
The Canadian Patent Office received a patent application with an AI system listed as the inventor. Known as DABUS and described as a "creativity machine," the applicant Stephen L. Thaler had originally listed the machine as the inventor. A letter of non-compliance was sent to the applicant clarifying that it does not appear possible for a machine to have rights under Canadian law or have the capacity to transfer said rights to a human. A full decision has yet to be rendered by the Canadian Patent Office. However, the inventor section of the application has since been changed to "unknown." Numerous other patent applications with DABUS listed as the inventor have already been rejected in other jurisdictions, including Australia, the United States, the United Kingdom, as well as by the European Patent Office Board of Appeal.
3. Criminal Law Issues Relating to Information Technology
3.1 - Offences under the Criminal Code
In Canada, offences under the Criminal Code directly dealing with information technology include:
Theft of computer data
Defrauding the public of any property, money, or valuable security by deceit, falsehood or other fraudulent means using computers
Use of a computer in an unauthorized manner or to possess an instrument for that purpose (i.e., hacking)
Mischief in relation to computer data (i.e., distributing computer viruses)
Trafficking in unauthorized passwords
There are several other criminal offences under the Criminal Code and the Copyright Act, which may indirectly involve information technology.
3.2 - Lawful access
Lawful access generally refers to the interception of communications and the search and seizure of information carried out by law enforcement agencies pursuant to legal authority, including under the Criminal Code. Significant changes were introduced to lawful access legislation in 2015. Among other changes, certain Criminal Code provisions dealing with the interception of communications were amended, giving law enforcement new powers to collect electronic evidence in the context of an investigation. In particular, these changes introduced a preservation demand and preservation order. These enable law enforcement officials to demand or order third parties who possess or control computer data, including internet service providers, to preserve it for 21 to 90 days. In addition, new production orders for historical transmission data and tracking data were introduced, as well as requirements for real-time transmission data and tracking data, allowing law enforcement officials to retrace an individual’s web patterns and remotely activate existing tracking devices (e.g., in vehicular GPS). It is important to note that in certain cases, the demands, orders or warrants created by these changes are subject to a threshold of “reasonable grounds to suspect” rather than the higher threshold of “reasonable grounds to believe.”
3.3 - Reasonable expectation of privacy in an IP address
Section 8 of the Canadian Charter of Rights and Freedoms Canadians the right to be secure against unreasonable searches or seizures, giving Canadians a reasonable expectation of privacy. With time, this expectation of privacy has been expanded by courts to include various technologies, such as an individual's personal computer and subscriber information that is attached to their IP address. On March 1, 2024, the Supreme Court of Canada affirmed that an IP address inherently attracts a reasonable expectation of privacy, because it is a crucial link between an Internet user and their online activity. The Court described an IP address as the key that unlocks a user’s internet activity and ultimately their identity. As a result, police and investigative agencies must obtain judicial authorization to compel the disclosure of IP addresses. Otherwise, they risk violating section 8 of the Canadian Charter of Rights and Freedoms.
4. Cryptography Controls
4.1 - Are there restrictions on using encryption in Canada?
Other than export controls, and subject to any applicable intellectual property, confidentiality and criminal law issues, businesses and consumers in Canada are free to develop, import and use whatever encryption technology they wish.
5. Privacy and Data Protection
As discussed in Section IX, “Privacy Law,” the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial private-sector privacy legislation in some provinces impose conditions on the collection, use and disclosure of personal information by organizations in the course of commercial activity.
These laws contain requirements for the protection of personal information within the control of an organization, including security measures to prevent unauthorized access, collection, use, disclosure, modification, destruction, and other similar acts. There may also be requirements in the event of a data breach. Businesses that collect, use or disclose personal information must comply with PIPEDA and/or the applicable provincial private-sector legislation.
The federal government also enacted the Digital Privacy Act in June 2015, which sets forth obligations on private-sector companies aimed at ensuring that consumers’ personal information remains protected online. All provisions of the Digital Privacy Act are now in force, including those outlining data breach notification and reporting requirements.
In addition to the pre-existing obligations applicable to private-sector companies, on June 16, 2022, the federal government introduced a proposed law titled An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Bill C-27). The second reading of the bill occurred on April 24, 2023. The new statutory framework proposed in Bill C-27 governs private sector personal information protection practices and, if passed, would enact the three new statutes. Particularly, The Consumer Privacy Protection Act (CPPA) would repeal and replace Part 1 of the Personal Information Protection and Electronic Document Act. Part 2 of PIPEDA will be renamed to An Act to provide for the use of electronic means to communicate or record information or transactions, or the Electronic Documents Act. The Personal Information and Data Protection Tribunal Act would establish an administrative tribunal to review certain decisions made by the Privacy Commissioner of Canada and make orders for contraventions of the CPPA.
On September 22, 2021, the Quebec Government adopted Bill 64, An act to modernize legislative provisions as regards the protection of personal information. This bill presents significant changes to the requirements governing the use and protection of personal information under various Quebec provincial statutes (including the distinct laws that apply to private sector entities and to public sector entities). This bill created new obligations for business operations in Quebec. Notably, public and private entities must now report data breach incidents and organizations must appoint a privacy officer. The fines for noncompliance with privacy legislation also increased as of September 2022, in both the public and private sectors.
For more information, see Section IX, “Privacy Law.”
6. Electronic Evidence
6.1 - Is electronic evidence admissible in court?
In Canada, electronic evidence is admissible in the courts provided that it meets the rules found in the common law and applicable statutes such as the federal and provincial Evidence Acts and the Rules of Civil Procedure. These rules include: (i) authentication by the party tendering the evidence; (ii) integrity of the system used and the method of record keeping, information storage, and retrieval; (iii) originality; and (iv) reliability.
Canadian courts have admitted electronic evidence where it accurately and fairly represented the information it purported to convey. Finally, Canadian courts have permitted the use of the internet in court and have admitted the contents of websites.
7. Electronic Contracting
7.1 - Are electronic signatures and documents valid in Canada?
In Canada, at both the federal and provincial/territorial levels, a series of e-commerce legislation has given statutory recognition to the legal effect of most types of electronic signatures and documents (with some exceptions such as wills, negotiable instruments and land transfers) that meet the requirements set out in the applicable statutes and regulations.
It is important to verify the validity of these documents as there can be variations in each jurisdiction. For example, British Columbia is now the first province to permit electronic wills.
Attention should also be given to the conduct of the parties, taking into consideration whether a reasonable person would infer their intention to be bound by an agreement. This includes informal interactions which may be enough to denote acceptance of an agreement. This was the case in a trial court where a thumbs-up emoji was enough to enforce the disputed agreement.
8. French Language Issues
8.1 - Must websites and information technology contracts be translated into French?
The province of Quebec has language legislation, the Charter of the French Language and its regulations that may impact electronic contracting and websites by requiring a French version to be made available if the parties or transactions involved have a Quebec connection, such as an office or employees located in Quebec. The Charter of the French Language imposes obligations for various communications, including commercial advertising, to be in French. It also imposes specific language requirements for certain contracts, in particular contracts of adhesion; such contracts (such as the information found on a transactional website including terms of service) must first be provided to the adhering party in French before the parties may opt to be bound by a version in another language. Failure to comply with this requirement could render the contract null or non-enforceable against the adhering party, or give rise to fines or claims in damages.
8.2 - Does software have to be translated into French?
Under Quebec’s language laws, all computer software sold in Quebec must be available in French, unless no French version of it exists. Software may be available in languages other than French, provided that the French version can be obtained on terms (except price where it reflects higher production or distribution costs) that are no less favourable and that it has technical characteristics that are at least equivalent. In addition, the software must meet the French language packaging and labelling requirements.
9. Jurisdiction and the Internet
9.1 - Where are electronic contracts formed?
In Canada, the issue of where electronic contracts is considered to be formed has not yet conclusively been determined and the answer may be different from one province to another. Unlike taxes, which Canadian courts have held to be “instantaneous” in some circumstances and thus formed when and where the offeror receives notice of the acceptance, it is not clear whether electronic communication such as emails or contracts formed on a website are instantaneous. The Canadian e-commerce legislation (see Section XI.7.1, “Are electronic signatures and documents valid in Canada?”) provides some guidance as to when and where electronic documents are presumed to be received. However, the mere posting of information on a website may not be sufficient to deliver that information to another person. In addition, the exchange of emails discussing a contract or a contractual relationship may not be sufficient to form a contract.
9.2 - Can foreign websites and internet transmissions be subject to Canadian laws?
A court can exercise jurisdiction in Canada if there is a “real and substantial connection” between the subject matter of the litigation and the jurisdiction. Generally speaking, the courts have found that the more active a website or its owner’s activity is in Canada, or if the website or business activity targets persons in Canada, it will be subject to Canada’s laws. The fact that the physical location of a website or its server is outside Canada will not immunize the website owner from legal consequences in Canada.
Recently, the Supreme Court of Canada upheld an injunction granted on a worldwide basis against a leading search provider, demonstrating that Canadian courts can extend their reach and subject global websites to Canadian laws.
The Supreme Court of Canada has also applied the “real and substantial connection” test in determining jurisdiction in online copyright matters. The application of the Copyright Act depends on whether there is a real and substantial connection between the internet transmission and Canada. This test turns on the facts of each case and relevant connecting factors include the situs of the content provider, host server, intermediaries and end user.
9.3 - Can parties to an online contract choose the governing law and forum?
In Canada, the parties to an online contract have, subject to certain exceptions (for example consumer protection), the right to choose the governing law of the contract, the exclusive court in which disputes are to be heard, and to exclude the application of conflict of laws principles. However, the Canadian courts have found that such clauses cannot be used to oust the jurisdiction of a substantially connected province. The Supreme Court of Canada has also recently stated that, irrespective of the validity of a governing law clause, courts may find such a clause unenforceable for policy reasons; for example, if there is a strong public interest in having a decision heard in Canada or if there is extreme inequality in the bargaining position of parties to a contract.
10. Internet Regulation
10.1 - Are internet activities regulated in Canada?
The Canadian Radio-television and Telecommunications Commission (CRTC) is the body responsible for regulating broadcasting and telecommunications in Canada. It regulates certain types of internet businesses and activities in Canada. For instance, if an internet business qualifies as a “telecommunications services provider” i.e., by offering voice or data telecommunications services, under the Telecommunications Act, it may be subject to telecommunications regulation, which may impact its operations, ownership, facilities, rates and services. The CRTC also regulates the sending of certain commercial electronic messages, discussed below.
In addition, the CRTC has been granted express powers to regulate certain audio and audiovisual content transmitted over the internet in Canada. In 2023, the Online Streaming Act (Bill C-11), amended Canada’s Broadcasting Act by introducing modernized provisions addressing internet-based broadcasting, including many on-demand video and audio streaming services and social media platforms. These amendments aim to reduce the regulatory asymmetry between traditional broadcasters and online broadcasters by expressly empowering the CRTC to subject online broadcasters to some of the same types of requirements imposed on traditional broadcasters. Online broadcasters had previously been exempted from CRTC regulation. Many of these requirements are currently the subject of regulatory consultations and have yet to be determined. The CRTC currently requires certain online broadcasters to register with the CRTC, comply with basic conditions of service, pay broadcasting regulatory fees, and contribute a percentage of their Canadian broadcasting revenues to the production and distribution of Canadian and Indigenous content. Bill C-11 has also expanded the CRTC’s enforcement tools, which now include administrative monetary penalties.
Note that there are currently no compulsory copyright licences available for retransmission of over-the-air broadcasts over the internet unlike conventional television. As a result, re-transmitters have to negotiate copyright licences with all rights holders to broadcast works. It is not uncommon, however, for third parties to unlawfully distribute certain broadcasts without the copyright holder’s consent, forcing those rights holders to request injunctions. These orders have been requested immensely following the 2019 Bell Media Inc. v. GoldTV.Biz case. The Federal Court of Canada has now granted its first order requiring internet service providers to block IP addresses in real time. Referred to as a dynamic site blocking order against internet service providers, this allows internet service providers to follow and continuously block illegally streamed content as it changes IP addresses. This order was granted in regard to the streaming of live hockey games.
2023 also saw the Online News Act (Bill C-18) receive royal assent. Bill C-18 requires certain large digital platforms to participate in a bargaining process related to their dissemination of news content online with certain news businesses, or groups of such news businesses. The bargaining process consists of a mandatory negotiation period, followed by mediation (if negotiations are unsuccessful), which may be followed by final offer arbitration (if mediation is unsuccessful). Bill C-18 has attracted significant attention, and its effects on the Canadian news industry are continually evolving.
Further, there are certain obligations that must be met under consumer protection laws when doing business with consumers on the internet. See Section XI.1.4, “Consumer protection” and Section XI.9.3, “Can parties to an online contract choose the governing law and forum?”
10.2 - What rules apply to online advertising?
The same basic rules that govern traditional advertising and marketing practices, including the Competition Act and the Criminal Code apply to all forms of internet advertising and marketing, such as deceptive prize notices, representations on websites and bulletin boards, or in emails, newsgroups and chat rooms. The Competition Bureau has prepared guidelines that address some of the ways in which these traditional rules are applied in the online context, including the use of disclaimers and hyperlinks, and the information that should be provided online when advertising products, services and businesses.
Canada’s Anti-Spam Legislation (CASL) introduces new civil and criminal provisions in the Competition Act, which regulate false and misleading representations and deceptive marketing practices in the electronic marketplace. For more details on CASL, see Section XI.10.3, “Is spam illegal in Canada?” and for more information on advertising regulations, see Section IV, “Trade and Investment Regulation.”
10.3 - Is spam illegal in Canada?
Designed as one of the most stringent anti-spam regimes in the world, CASL has a significant impact on the electronic communication practices of companies in Canada and foreign companies sending commercial electronic messages (CEMs) to recipients in Canada. Many of the provisions of CASL, including those dealing with CEMs, came into force on July 1, 2014, while the provisions dealing with the unsolicited installation of computer software came into force on January 15, 2015. CASL also restricts other activities, including the ability of businesses to alter transmission data in electronic messages.
Subject to certain exceptions set out in the law and its accompanying regulations, CASL prohibits the sending of CEMs to an electronic address unless: (1) the person to whom the message is sent has consented to receiving it; and (2) the message complies with prescribed form and content requirements. Among other requirements, express consent under CASL must be “opt-in,” meaning that an explicit and positive consent from an intended recipient of a CEM must be obtained before sending a message. This differs from the common industry practices of using an opt-out or negative option method of obtaining consent for marketing, such as a pre-checked consent box that a consumer has to un-check to signify they do not wish to receive marketing messages.
With respect to the unsolicited installation of computer programs, subject to limited exceptions, CASL prohibits installing, or causing to be installed, a computer program (which may include software updates and upgrades) on another person’s computer system including a laptop, smartphone, tablet, gaming console or other connected device in the course of commercial activity, without the express consent of the device owner or an authorized user. As with consent for sending CEMs, consent to the installation of computer programs must be “opt-in” and must be obtained in the prescribed manner. Disclosure requirements will also apply.
The potential penalties for non-compliance under CASL are significant and include administrative monetary penalties of up to C$1-million for individuals and C$10-million for corporations.
CASL also creates a private right of action for persons who have been affected by a contravention of any number of CASL’s provisions, including the anti-spam provisions. The provisions of the statute providing for a private right of action were originally scheduled to come into effect on July 1, 2017, but their enactment has now been suspended indefinitely. This suspension is welcome news for industry, which has been very concerned about lawsuits, including class actions, being instituted while industry struggles to understand and comply with the requirements of this legislation.
It should be noted that the Competition Act provisions dealing with the advertising of certain products, such as tobacco, or misleading advertising as well as the Criminal Code provisions dealing with fraud, authorized access and use of computers and mischief against data, could also apply against spammers. Various industry groups have established member codes and guidelines dealing with the distribution of promotional materials and enforcement.
PIPEDA and similar private-sector privacy legislation in some provinces (see Section IX, “Privacy Law”) may also affect spammers by imposing obligations on how personal information, which may include email addresses, is collected, used and disclosed in the course of commercial activity.
11. Liability of Internet Service Providers (ISPs)
11.1 - What risks of liability do ISPs face?
ISPs, and possibly their directors and officers, may be liable under contract, tort or statute, for various claims arising from the provision of their services.
11.2 - Does Canada have any laws that protect ISPs from liability?
Canada has not passed legislation providing blanket immunity to ISPs from liability, however, courts have generally not held them liable for the infringing activities of their users. In the area of copyright, the Supreme Court of Canada has concluded that ISPs, and other intermediaries, will not face liability for copyright infringement if they restrict their activities to providing a conduit for information and do not engage in acts that relate to content. The Supreme Court has also found that caching (the temporary storage of material by the ISP) is also a protected activity.
Canada’s Copyright Modernization Act codified the Supreme Court’s approach in 2012 by limiting the liability incurred for “providing services related to the operation of the internet or another digital network.” This limitation covers the activities of ISPs as well as those of persons who provide caching and hosting services. The Copyright Modernization Act also implements a “notice-and-notice” regime, under which ISPs are required to send notices of potential infringement received from copyright holders to their potentially infringing subscribers.
The province of Quebec’s Act to Establish a Legal Framework for Information Technology also establishes a regime for liability and some protection in certain circumstances for ISPs acting as intermediaries on communication networks. Following the coming into force of Bill 6, this law has recently been updated.
12. Artificial Intelligence
As discussed in Section 5, if passed, Bill C-27 would significantly reform federal private-sector privacy law. This includes rules to regulate international and interprovincial trade and commerce in “high-impact” artificial intelligence (AI) systems under a new Artificial Intelligence and Data Act (AIDA).
Among other things, AIDA would: establish a new AI and Data Commissioner to support the Minister of Innovation, Science, and Industry in enforcing AIDA and, make it an offence to make available or use an AI system that is likely to cause serious harms. Through its harm-based approach to regulating AI, AIDA would create new obligations applicable across Canada, for yet-to-be-defined “high-impact systems”. As of 2024, Bill C-27 (including AIDA) has yet to come into effect.
Moreover, in June 2022, the federal government also announced the AI Voluntary Code of Conduct, a set of guidelines that organizations are encouraged to apply in developing and managing generative AI systems. Its role is to act as a “critical bridge” until AIDA comes into force. In undertaking this commitment, developers and managers of advanced generative systems commit to working to achieve the following outcomes: accountability, safety, fairness and equity, transparency, human oversight, and validity and robustness.
Note also that provincial legislatures have not yet enacted laws directly regulating AI. The Conseil de l’innovation du Québec (CIQ), an advisory group to the provincial government, however, has recommended that Quebec adopt AI regulations.
13. Increase in cybersecurity risks
13.1 - How common are cyber attacks?
In recent years, cyberattacks and their costs have increased drastically for businesses.
Businesses should be on high alert and pay particular attention to ransomware attacks as they are among the most common and are typically the costliest. Threat actors are ever more sophisticated in their attacks and thus the size of ransom payments made increases each year. In fact, ransom payments over US$100,000 have become increasingly common, with many payments even exceeding US$1-million (sometimes by a considerable amount). The actual costs of a cyberattack, regardless of whether a ransom is paid or not, can easily run into millions of dollars when factoring in hard costs in addressing the cyberattack, lost revenues due to the disruption and reputational damage. Based on current trends, almost half of organizations targeted by ransomware attacks ultimately paid a ransom.
Over the past year, there has also been more concern regarding the protection of data and personal information. Observations show that in the majority of cases, threat actors were able to access , and subsequently remove, an organisation’s sensitive information.
With the increase in cyber attacks, business need to ensure they are diligent in their cybersecurity practices. Whether it is by choosing the right technology, keeping up with the best software and hardware practices or maintaining a security team, it is vital for businesses to have cybersecurity preparedness measures in place. For more details on cybersecurity, see the Blakes Canadian Cybersecurity Trends Study 2024.
13.2 - Do I have an obligation to report breaches?
The requirement to report a cybersecurity breach in Canada depends on the specific circumstances surrounding the incident. Reporting obligations can arise from privacy legislation, such as under PIPEDA or provincial privacy laws, or from sector-specific regulations applicable to certain industries like finance or health care. While reporting is not always mandatory, recent trends show a shift toward increased mandatory reporting requirements, driven by legislative reforms.
In the event of a breach or suspected breach, it is essential to act proactively not only to reduce potential damages, but also to determine which reporting requirements may apply. For further details, refer to Section IX, ''Privacy Law.''
13.3 - What are the cybersecurity considerations when acquiring a business?
Cyberattacks can cause major damage to a business, such as higher costs from operational disruption, altered business practices and reputational damage. Cybersecurity considerations are thus an important factor for potential acquirers or investors of Canadian businesses.
To enhance their protection during a transaction , buyers can include cybersecurity concerns in the due diligence process and by negotiating certain contractual protections. During the due diligence process, buyers should question the target company regarding its history with cyberattacks. A review of the target entity’s cybersecurity practices, data governance, policies and procedures should also be conducted.
The buyer can also negotiate contractual protections to the purchase agreement or include holdbacks on the purchase price payable to the seller(s) to cover cybersecurity liability costs post-acquisition.
13.4 - Are companies being held liable in class actions for data breaches?
Victims of data breaches have been coming forward to commence class action lawsuits against businesses who have been the target of various breaches of cyber attacks.
Class actions occur in two steps. First, the action must be certified or authorized, depending on the jurisdiction. This first step allows a class action to commence. Second, the merits of the action must be evaluated. This step is usually dealt with in a later judgment. It is not uncommon to see class actions seeking damages from a data breach to pass this first step. However, passing the second step is more difficult; we have yet to see businesses be held liable following a contested merits hearing.
Overall, settlement values for members of a class action continue to be relatively low, mirroring the ongoing uncertainty regarding the accountability of businesses in data breach cases.
13.5 Can’t companies rely on privilege in case of a claim?
Scrutiny over a data custodian’s handling of a breach is also increasing. Recently, a court has denied a party’s claim that information regarding a data breach was protected by solicitor-client privilege. Privilege was denied on the grounds that the defendant had an obligation to disclose information about a breach under statutory law and failed to demonstrate that the information was relevant to their litigation strategy. This highlights the importance of having a coherent plan and proper information handling practices when responding to a breach.
Courts have increasingly shown themselves open to considering data custodians liable for statutory tort violations, even if they are innocent of any wrongdoing. Courts have certified class actions on the theory that if data custodians failed to take appropriate measures to safeguard customer data from cybercriminals, they may have breached provincial privacy laws.