Wanted: A Synopsis of Canadian Cybersecurity Laws

I have been asked (by an American colleague) if I know of any synopsis of “Canadian cybersecurity laws”. I am told that this expression means some mix analogous to the US Computer Fraud and Abuse Act, covering as well wiretaps, crimes, specific requirements for securing data. Core is private sector rather than critical infrastructure or national security.

It is conceivable that there is a chapter or more in the various collections of learning on IT or e-com law on the topic, which Canadian members of this blog are familiar with. Care to name them? Is there a book in Sunny Handa’s series on IT law? Something in Barry Sookman’s looseleaf collection? Or elsewhere (not to be prejudicial by omission…)? (I suspect my correspondent would limit himself to English-language texts, but readers of this blog may be interested in French texts too.)

I think of the Criminal Code provisions on unauthorized access to computers, and related topics. Also PIPEDA and provincial equivalents generally require personal information to be kept secure, though without a lot of detail about the standards of security to be applied. (I am aware of directives or advisory publications by privacy commissioners, notably in Ontario, about securing data on mobile devices, but not a general standard for data in motion or at rest.) So far the one statute and one bill on data breach notification in Canada do not prescribe standards of care for secure storage.

Law societies have advised lawyers (and in Ontario, paralegals) that they should ensure that their client communications are appropriately secure, but without attempting any standard of security. The CBA’s guidelines on IT security for lawyers could be relevant for practice questions, but they do not constitute ‘laws’ as requested.

So questions:

  • What laws exist in Canada that might be considered ‘cybersecurity’ laws, besides the few I have mentioned?
  • Does case law make up for a paucity of statute, via findings of negligent or non-negligent handling of data or IT systems?
  • Are there audit standards that might reach the level of a law, or at least be worth mentioning in this context? I think I recall a publication of the Canadian Institute of Chartered Accountants on cybersecurity. Has anyone got a reference to that, and an idea if it might be relevant?
  • Is there a useful synopsis of them somewhere? Where?

With thanks in advance.


  1. I wonder if Michael Geist might know?

  2. In the criminal law sphere, the best resource I know of on this subject is the looseleaf by Robert W Hubbard, Peter M. Brauti, Scott K. Fenton on Wiretapping and Other Electronic Surveillance: Law and Procedure (Aurora: Canada Law Book, 2009). I believe it was first published in 2000.

  3. Have a look at sections 273.1 through 273.8 of the National Defense Act. Among other things, it establishes the Canadian Security Establishment, and the Minister of Defense’s power to order it to sweep the “global information infrastructure” for “foreign intelligence”. CSE cannot listen to people in Canada, but in practice if they want to know what is going on here, CSE asks the Americans or the Brits, and vice versa. This pooling arrangement includes Australia,Japan and South Korea, and has been in place under the name “Echelon” since 1947.
    The Minister may also authorize his IT people “to intercept private communications in relation to an activity or class of activities specified in the authorization, if such communications originate from, are directed to or transit through any such computer system or network, in the course of and for the sole purpose of identifying, isolating or preventing any harmful unauthorized use of, any interference with or any damage to those systems or networks, or any damage to the data that they contain.” 273.8(1)
    There is more in the Act, from search and seizure powers on military bases to legalized hacking.