Proposed Privacy Reforms Made Public
On April 8, 2014, the Canadian Government introduced the Digital Privacy Act in the Senate. Bill S-4 proposes to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to include, among other things, mandatory notification of data breaches, enhanced powers for the Privacy Commissioner (Commissioner), and a business-friendly exemption for transfers of personal information for the purposes of a proposed transaction.
The proposed amendments are similar to those first tabled in 2010, which were never enacted. However, Bill S-4 omits the lawful access provisions proposed in 2010 and introduces new compliance powers for the Commissioner.
Mandatory Breach Notification
If the amendments are enacted as they have been introduced, organizations that suffer a breach of personal information that creates a "real risk of significant harm" to an individual will be required to:
- report the breach to the Commissioner;
- notify the individual whose personal information is at issue of the breach and provide any steps the individual can take to protect herself, as soon as possible;
- notify any other organization or government institution if doing so might mitigate the harm caused by the breach, as soon as possible (under these circumstances, disclosure may be made without the knowledge or consent of the individual); and
- maintain records of every breach involving personal information under the organization’s control.
The format of the report and notification is to be prescribed by regulation. Failure to comply with the above requirements could result in a fine of up to $100,000 per offence.
The proposed amendments broadly define "significant harm" to include the following: bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on credit record; and damage to or loss of property. The presence of a "real risk of significant harm" is determined by reference to the sensitivity of the personal information, the probability that the personal information has been or will be misused, and other factors that may be prescribed by regulation.
Compliance Agreements
Bill S-4 will enhance the Commissioner’s powers through "compliance agreements". When the Commissioner believes that an organization has or is about to contravene PIPEDA, the Commissioner may propose an agreement with the organization on any terms the Commissioner considers necessary to ensure compliance. The Commissioner will be empowered to seek a court order requiring the organization to comply if it breaches the agreement.
The potential range of terms the Commissioner may include in a compliance agreement is not yet known. The enforcement powers in Canada’s Anti-Spam legislation (CASL) may serve as a useful indicator. For example, CASL includes warrant powers that permit physical entry into a building to verify compliance or investigate contraventions, and undertaking powers similar to the proposed compliance agreements.
Transferring Personal Information in Business Transactions
The transfer of personal information is often necessary in business transactions such as acquisitions or financings. If enacted, the amendments will permit organizations to disclose and use personal information without the knowledge or consent of the individual if necessary to determine whether to proceed with a transaction. Once shared, the information must be used and disclosed only for purposes related to the proposed transaction; protected by security safeguards, and returned or destroyed should the transaction not proceed.
If the transaction closes, the parties may agree to the continued use and disclosure of the personal information if necessary to carry on the business. However, the information must only be used for the purposes for which it was collected and affected individuals must be notified of the disclosure within a reasonable timeframe of the transaction.
Collection and Disclosure Without Knowledge or Consent
Bill S-4 includes new exceptions to the restrictions on the collection and use of personal information in the employment context, for the purpose of detecting or preventing fraud. Personal information may be collected, used and disclosed by federal undertakings (such as banks or airlines) without consent when necessary to manage or terminate an employment relationship. However, the individual must nonetheless be informed that her information is being collected, used or disclosed.
The Digital Privacy Act also clarifies that consent is only valid when it is reasonable to expect that the individual would understand the purpose and consequences of the collection, use or disclosure of her personal information.