Viewpoint: Canada’s Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind
After lengthy debates, the Digital Privacy Act (Bill S-4) finally received royal assent on June 18, 2015, and is now law. The federal government introduced Bill S-4 on April 8, 2014, which marked the government’s third attempt since 2010 to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). But despite the passing of this bill, the mandatory breach notification provisions will not come into force until regulations setting out prescribed requirements have been enacted. The key amendments to PIPEDA are discussed below.
- PIPEDA has been amended to clarify that an individual’s consent is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which he/she is consenting.
- PIPEDA now contains a “business transaction” exemption that will allow organizations to use and disclose personal information without consent in connection with mergers, acquisitions, financings, etc. (both during due diligence and post-closing), provided certain conditions are met.
- Business contact information is no longer excluded from the definition of personal information. However, PIPEDA’s provisions dealing with personal information will not apply to the collection, use and disclosure of business contact information by an organization solely for the purpose of communicating or facilitating communication with an individual about his/her employment, business or profession. Importantly, “business contact information” is given a broad definition and includes business email addresses, which previously was not excluded from the definition of personal information under PIPEDA. Notwithstanding this exemption, organizations should be aware that email communications must comply with requirements under Canada’s Anti-Spam Legislation.
- The Privacy Commissioner of Canada now has the power to enter into a compliance agreement with an organization if the commissioner believes, on reasonable grounds, that the organization has committed, is about to commit or is likely to commit a breach of PIPEDA. A compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance under PIPEDA. Failure to abide by the terms of a compliance agreement allows the commissioner to apply to the federal court for certain remedies, including an order requiring compliance, or a hearing.
- There are now several new exceptions from PIPEDA’s consent requirement, including:
- Information that was produced by an individual in the course of his/her employment, business or profession may be collected, used and disclosed without consent provided the collection, use or disclosure is consistent with the purposes for which the information was produced (a so-called “work product” exemption).
- Organizations may disclose personal information to other organizations without consent where disclosure is reasonable for the purposes of investigating a breach of an agreement or contravention of the laws of Canada or a province, or for the purposes of detecting, suppressing or preventing fraud, provided that in either case it is reasonable to expect that disclosure with consent would compromise the investigation or ability to detect, suppress or prevent the fraud, as applicable.
- Information contained in a witness statement may be collected, used and disclosed without consent, provided the collection, use or disclosure is necessary to assess, process or settle an insurance claim.
Not Yet in Force
Once Bill S-4 provisions relating to mandatory breach notification are in force, they will require organizations to notify affected individuals and the commissioner of a breach of security safeguards involving personal information under the organization’s control, where the breach poses a “real risk of significant harm” to the affected individuals. Government institutions and other organizations also will need to be notified in prescribed circumstances, including if the organization believes that the institution or other organization may be able to reduce or mitigate the risk of harm to the affected individuals. This standard for reportable breaches is similar to that under Alberta’s Personal Information Protection Act. However, organizations also will have to keep a record of all data breaches, including those that do not meet this harm threshold, and report all breaches to the commissioner upon request. An organization that knowingly fails to report or record a breach as required by PIPEDA will be guilty of an offense punishable by fines of up to CA$100,000.
Wendy Mee is a partner in the Blakes Toronto office. She practices primarily in the area of privacy law, where she advises a wide range of clients, including those in the financial services, life sciences, education, retail, food and consumer goods sectors, on a variety of privacy and data protection issues. She may be reached at firstname.lastname@example.org.
Dara Lambie is an associate in the Blakes Toronto office. Dara’s practice focuses on all aspects of Canadian privacy law in addition to marketing and advertising and product regulatory law in the health, drug, food and consumer product areas. She can be reached at email@example.com.
In Viewpoints, prepaid and emerging payment professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.