Skip to main content

Privacy Law & Breaches of Privacy

Privacy Law and Breaches of Privacy

A number of laws apply to the collection, use and disclosure of personal information about individuals, including , with respect to private sector organizations, the Personal Information Protection Act (PIPA), and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). With respect to the public sector, the provincial Freedom of Information and Protection of Privacy Act (FOIPPA), and the federal Privacy Act generally apply.  In the case of personal information held by schools, the provincial School Act may also apply. Which law applies, and which privacy commissioner may have jurisdiction, generally depends on the nature of the employer or organization involved.

Privacy legislation contains restrictions on the extent to which some organizations are legally permitted to collect, use and disclose personal information.  It also generally requires personal information to be adequately safeguarded, and may provide individuals with certain other rights.

Quasi-constitutional Status

In Douez v. Facebook, Inc. 2017 SCC 33, the Supreme Court of Canada allowed a privacy class action to continue through the British Columbia courts. In doing so, the Supreme Court of Canada recognized that the privacy rights of Canadians have a quasi-constitutional status. Douez involved a privacy class action against Facebook on behalf of almost 2 million Facebook users in B.C. The class alleged that Facebook used their names and photographs without consent in “sponsored stories” and that such use constituted a violation of B.C.’s statutory cause of action for invasion of privacy. The issue which reached the Supreme Court involved the forum selection clause contained within Facebook’s terms of use, which required disputes to be resolved in the state of California pursuant to California law. The majority declined to uphold Facebook’s forum selection clause.

The Supreme Court of Canada had previously held that federal and provincial privacy legislation has quasi-constitutional status (see, for example, Lavigne v. Canada (Office of the Commissioner of Official Languages) 2002 SCC 53 at para 24; Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62 at paras 19 and 22.

Social Insurance Numbers

Where an employer employs a person in insurable employment (which is most employment, other than that of a casual nature: EI Act, s. 5(2)(a), 5(3); EI Regs, ss. 7-8), the employer must request the employee’s Social Insurance Number (SIN) within 3 days of the date of hiring, and the employee is required to produce it (EI Regs., s. 89(2), (3)). An employee without a SIN must apply for one within 3 days of being hired (EI Regs, s. 89(1)).  Under the Canada Pension Plan, an employer is required to insist that the SIN be provided by an employee in pensionable employment within 30 days after the employee reaches the age of 18 or becomes employed in pensionable employment, whichever is the later (Canada Pension Plan, s. 98(5).  This is required by law and is not considered to be a breach of privacy.

In order to avoid a potential conviction for aiding or abetting Immigration Act violations, where an employee is unable to produce a SIN, the employer will typically require the employee to produce a valid employment authorization. Employers will review the terms of the authorization to ensure that the circumstances fit within it.  If an employee is unable to produce such an authorization, the employer ought to satisfy itself that the employee is exempt from Immigration Act authorization requirements.


To schedule a consultation, please contact us..