Legislative framework of application development in Canada

In this blog series, we will shed light on the legislative framework of mobile application development in major countries and regions across the globe. The third part of the series is an analysis of Canadian regulations that are of concern to application developers. It is important to note that the listed laws not only apply to Canadian developers, but to all developers that target a Canadian audience.

In Canada, mobile applications are regulated under the Personal Information Protection and Electronic Documents Act (PIPEDA). The Act, enacted in 2000, governs how private organisations collect, use and disclose personal information. PIPEDA became law to promote consumer trust in electronic commerce by assuring that no data would be obtained without formal consent, except for a number of exceptions in case of emergencies, national security matters or international affairs.

The Act gives consumers the right to know why an organisation collects their personal information, the assurance that no data is used for any purpose other than that to which they have consented, and the possibility to obtain access to their personal information and ask for correction or erasure if necessary. Organisations are required to protect the obtained data by taking appropriate security measures and to have personal information policies that are clear and understandable. They are also obliged to supply customers with a product even if they refuse consent for the collection of their personal information.

In 2015 the Digital Privacy Act amended PIPEDA, requiring companies to notify all stakeholders in case of a data breach. The Act also enhanced the powers of the Privacy Commissioner. The Commissioner is tasked to investigate complaints about violations of the law and to produce a non-binding report. The complainant can then take the matter to the Federal Court of Canada, which can order the organisation complained about to correct its practices and to award damages. The Digital Privacy Act applies to any organisation that collects personal information of Canadian citizens, unless the organisation only obtains data in provinces whose own privacy laws have been declared substantially similar to the federal law (namely Alberta, British Columbia, New Brunswick, Newfoundland and Labrador, Ontario and Québec).

Some types of mobile applications fall under supplementary laws because of the sensitivity of the data they collect. Mobile payment applications (or m-payment apps) protection requirements differ according to the source of funds and the type of organisation providing the service. This results in non-equal protection of consumers. The Financial Consumer Agency of Canada (FCAC) issued a report in 2013 asking for the implementation of a standard that applies uniformly to all m-payment services in order to avoid inconsistencies. The agency also promotes just-in-time privacy disclosures and a dashboard that allows users to revisit and change choices they initially made about an app’s access to their personal information.  

Mobile medical applications (or mHealth apps), defined as software that is intended for use in the diagnosis or treatment of an abnormal physical state, are more strictly regulated than m-payment apps. They must comply with the requirements of the Medical Devices regulations, issued by Health Canada (the Department of National Public Health). The regulations divide medical devices into four categories, based on their design complexity, use characteristics and potential for harm if misused. Each class has its own requirements for approval, quality and documentation and safety reporting. For example, manufacturers of Class II-IV devices have to apply for a Medical Device License. They are also obligated to implement quality systems compliant with a standard called ISO 13485:2016.

In conclusion, PIPEDA is a far-reaching Act that governs how private organisations collect, use and disclose personal information. The Digital Privacy Act extended the scope of the regulation and enhanced the powers of the Privacy Commissioner, who is responsible for investigating complaints about violations of the law. Mobile payment and medical applications fall under supplementary laws because of the sensitivity of the data they collect. The requirements for m-payment applications differ, resulting in non-equal customer protection. The FCAC addressed this issue in a report, but no changes have been implemented yet. On the other hand, mHealth applications must comply with the Medical Devices regulations and are subject to strict rules.

Sources

PIPEDA

https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf

https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act

Digital Privacy Act

https://www.parl.ca/DocumentViewer/en/41-2/bill/S-4/royal-assent

Provincial Privacy Acts

https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight/

Mobile health applications

https://www.cmaj.ca/content/187/11/E339.full

https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/activities/announcements/software-regulated-class-medical-device-notice-2010-12-03.html

https://laws-lois.justice.gc.ca/eng/regulations/sor-98-282/

https://www.canada.ca/en/health-canada/services/drugs-health-products/medical-devices/activities/announcements/questions-answers-software-regulated-medical-device.html

https://www.iso.org/standard/59752.html