BILL NO. 131

(as introduced)

1st Session, 65th General Assembly
Nova Scotia
4 Charles III, 2025

 

Private Member's Public Bill

 

Privacy and Credit Protection Act

 

Susan Leblanc
Dartmouth North



First Reading: September 23, 2025

Second Reading:

Third Reading:

 

An Act Respecting Privacy
and Credit Protection

Be it enacted by the Governor and Assembly as follows:

1 This Act may be cited as the Privacy and Credit Protection Act.

2 In this Act,

"artificial intelligence system" means a technological system that autonomously or partially autonomously processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or other techniques to generate content or make decisions, recommendations or predictions;

"data breach" means a security incident in which personal data or confidential and sensitive information is accessed, disclosed or lost without authorization as a result of an accidental error, a malicious attack or a lapse in security protocols;

"data controller" means a person, public authority, agency or other body who, alone or jointly with others, determines the purpose and means of the processing of personal data;

"data processor" means a person, public authority, agency or other body who processes personal data on behalf of a data controller;

"data subject" means an individual whose personal data was subject to a data breach;

"identifiable individual" means an individual who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;

"personal data" means any information relating to an identified or identifiable individual.

3 (1) A person who wilfully and without a claim of right violates the privacy of an individual commits a tort against that individual.

(2) An action for violation of privacy may be brought without proof of damage.

(3) The nature and degree of privacy to which an individual is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of other persons.

(4) In determining whether the act or conduct of a person violates the privacy of an individual, regard must be given to the nature, incidence and occasion of the act or conduct and to the relationship between the parties.

(5) Without limiting subsections (1) to (4), eavesdropping or surveillance may constitute a violation of privacy, whether or not accomplished by trespass.

4 (1) In this Section, "intimate image" means a visual recording of a person made by any means, including a photograph, film or video recording in which the person depicted in the image is nude, is exposing the person's genital organs, anal region or breasts, or is engaged in explicit sexual activity.

(2) Evidence that a person has

(a) conducted auditory or visual surveillance of an individual, whether or not accomplished by trespass, by any means, including eavesdropping, watching, spying, harassing or following;

(b) listened to or recorded a conversation in which an individual participates;

(c) listened to or recorded a message to or from an individual by means of telecommunication;

(d) used the name, likeness or voice of an individual, including an imitation of the likeness or voice of an individual created by an artificial intelligence system, for the purpose of

    (i) advertising or promoting the sale of, or trading in, property or services, or

    (ii) another advantage to the user,

if, in the course of the use, the individual is identified or identifiable and the user intended to exploit the name, likeness or voice of that individual;

(e) used or distributed a letter, diary or other private or personal document of an individual; or

(f) used or distributed an intimate image of an individual, including an artificially generated intimate image in the likeness of an individual,

without the consent, expressed or implied, of the individual or another person who has the lawful authority to give the consent is, in the absence of evidence to the contrary, proof of a violation of the privacy of the individual.

5 (1) A data breach constitutes a violation of the privacy of the data subject if the information subject to the data breach was reasonably expected to be protected and kept private when given to a data controller or data processor, with due regard given to the sensitivity of the information and the manner in which the information was stored and protected.

(2) Social insurance numbers and personal banking information are deemed information that can reasonably be expected to be protected and kept private, regardless of whether such information was given consensually to a data controller or data processor.

(3) Subsection (1) applies only if the data controller or data processor to whom the information was provided collects, uses or discloses personal data in the course of commercial activities.

(4) Subsection (1) does not apply if the data controller or data processor to whom the information was given

(a) collects, uses or discloses personal data for personal or domestic purposes and does not collect, use or disclose the personal data for any other purpose; or

(b) collects, uses or discloses personal data for journalistic, artistic or literary purposes and does not collect, use or disclose the personal data for any other purpose.

6 (1) In this Section,

"court" includes a person authorized to administer an oath or affirmation for the taking of evidence while acting for the purpose for which the person is authorized to take evidence;

"offence" includes an offence against a law of the Province or of Canada, including an offence under the Criminal Code (Canada).

(2) An act or conduct is not a violation of privacy if

(a) the act or conduct was consented to by a person entitled to consent;

(b) the act or conduct was incidental to the exercise of a lawful right of defence of person or property;

(c) the act or conduct was authorized or required under law or by a court or a process of a court; or

(d) the act or conduct was that of

    (i) a peace officer acting in the course of the peace officer's duties for the prevention, discovery or investigation of an offence or of the discovery or apprehension of the perpetrators of an offence, or

    (ii) a public officer engaged in an investigation in the course of the public officer's duties under a law of the Province or of Canada,

and was neither disproportionate to the gravity of the offence or matter subject to the investigation nor committed in the course of a trespass.

(3) A publication of a matter is not a violation of privacy if

(a) the matter published was of public interest or was fair comment on a matter of public interest; or

(b) the publication was, under the rules of law relating to defamation, privileged.

7 In an action for violation of privacy, the Supreme Court of Nova Scotia may

(a) award damages;

(b) grant an injunction;

(c) order the defendant to account to the plaintiff for profits that have accrued or that may later accrue to the defendant because of the violation;

(d) order the defendant to deliver to the plaintiff articles or documents that have come into the defendant's possession because of the violation; or

(e) grant other relief to the plaintiff that appears advisable under the circumstances.

8 An action or right of action for a violation of privacy is extinguished by the death of the person whose privacy is alleged to have been violated.

9 (1) A data controller or data processor shall

(a) protect personal data in its custody or under its control by implementing security measures against risks of data breaches in accordance with the regulations; and

(b) securely destroy personal data in its custody or under its control at the expiry of the relevant retention period in accordance with the regulations.

(2) A data controller or data processor shall not

(a) store personal data longer than the time necessary to fulfil the originally identified purpose for which it was collected; or

(b) store personal data for a period exceeding the retention period prescribed by the regulations.

10 (1) In this Section, words and expressions have the same meaning as in the Consumer Reporting Act.

(2) A consumer may, in accordance with this Section and any requirements prescribed by the regulations, require a consumer reporting agency to place a security freeze on the consumer's file.

(3) A consumer who requires a security freeze under subsection (1) shall provide the consumer reporting agency with a copy of any identification prescribed by the regulations and a copy of any other identification the agency may reasonably require to verify the consumer's identity.

(4) Where the consumer has complied with subsections (2) and (3), the consumer reporting agency shall place a security freeze on the consumer's file on or before the deadline prescribed by the regulations.

(5) During the period that a security freeze on a consumer's file is in effect, the consumer reporting agency shall not disclose any credit or personal information about the consumer maintained by the agency, including any consumer scores, to any person.

(6) Where the consumer, in accordance with any requirements prescribed by the regulations, directs the consumer reporting agency to terminate the freeze, the agency shall terminate the security freeze on or before the prescribed deadline.

(7) A security freeze expires at the end of the period prescribed by the regulations, if any.

(8) Notwithstanding subsection (5), the consumer reporting agency may, in accordance with any requirements prescribed by the regulations, disclose information prescribed by the regulations about a consumer maintained by the agency to persons and entities prescribed by the regulations.

(9) Notwithstanding subsection (5), where a consumer, in accordance with any requirements prescribed by the regulations, directs a consumer reporting agency to disclose information to an identified person or entity, the agency shall disclose the information as directed and shall do so on or before any deadline prescribed by the regulations.

(10) A consumer reporting agency may not charge the consumer a fee for placing a security freeze, terminating a security freeze or disclosing information at the direction of a consumer during a security freeze.

(11) A consumer reporting agency may not take into account the exercise of a right conferred by this Act in the production of a credit rating nor of any other personal information concerning the person who exercised such right.

(12) Where a consumer requests that a security freeze be placed on the consumer's file, the consumer reporting agency shall provide the consumer with the prescribed information and the name and the telephone number or email address of a person the consumer can contact for an explanation of the information.

11 A corporation that contravenes Section 9 or 10 is guilty of an offence and liable on summary conviction to a fine of not more than $30,000,000 or four per cent of the corporation's worldwide annual revenue from the fiscal year preceding the commission of the offence, whichever amount is higher.

12 Where there is a conflict between this Act and the Freedom of Information and Protection of Privacy Act, the Intimate Images and Cyber-protection Act or the Personal Health Information Act, those other Acts prevail.

13 (1) The Governor in Council may make regulations

(a) respecting security measures for protecting personal data held by data controllers and data processors at varying levels of information sensitivity, including physical measures, organizational measures and technological measures;

(b) respecting retention periods for personal data held by data controllers and data processors;

(c) respecting the destruction of personal data held by data controllers and data processors at the expiry of retention periods;

(d) respecting any matter in relation to security freezes that is to be prescribed, determined or regulated by the regulations;

(e) defining any word or expression used but not defined in this Act;

(f) further defining any word or expression defined in this Act;

(g) respecting any matter or thing the Governor in Council considers necessary or advisable to effectively carry out the intent and purpose of this Act.

(2) The exercise by the Governor in Council of the authority contained in subsection (1) is a regulation within the meaning of the Regulations Act.

14 This Act has effect on and after January 1, 2026.

 

This page and its contents published by the Office of the Legislative Counsel, Nova Scotia House of Assembly, and © 2025 Crown in right of Nova Scotia. Created September 23, 2025. Send comments to legc.office@novascotia.ca.

More Information

Full Glossary
Types of Bills
How a Bill becomes law
Orders in Council
Registry of Regulations
Library resources on law
Constitutional Timeline
Order copies of legislation
Finding private and local legislation