Long-Awaited PIPEDA Amendments Become Law

On June 18, 2015, the Digital Privacy Act (Senate Bill S-4) became law, amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to include a business transaction exemption, mandatory breach notification requirements, enhanced powers for the Privacy Commissioner (Commissioner), and various other updates.

What You Need to Know

• Business transaction exception. PIPEDA now permits organizations to use and disclose personal information without consent of the applicable individuals in the context of a business transaction, provided that the parties enter into an agreement to: only use and disclose personal information for purposes related to the proposed transaction; protect the information with appropriate security safeguards; and return or destroy the information if the transaction does not proceed.
• Organizations may only disclose personal information to the extent necessary to determine if the transaction should proceed, and then to complete the transaction.
• If the transaction is completed, the acquiring organization may only use the personal information for purposes consistent with the original collection, and the affected individuals must be notified that their personal information has be transferred to another organization.
• Mandatory breach notification. The amendments to PIPEDA have introduced a mandatory breach reporting regime with hefty fines for non-compliance (up to $100,000 per offence). These provisions are not yet in force, but in the event of a breach of personal information that creates a "real risk of significant harm" to an individual, organizations will be required to:
• report the breach to the Commissioner;
• notify the individual whose personal information is at issue of the breach and provide any steps the individual can take to protect herself, as soon as possible;
• notify any other organization or government institution if doing so might mitigate the harm caused by the breach, as soon as possible (under these circumstances, disclosure may be made without the knowledge or consent of the individual); and
• maintain records of every breach involving personal information that is under the organization’s control.

"Significant harm" is defined broadly to include bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Whether there is a "real risk of significant harm" is determined by the sensitivity of the personal information involved in the breach, the probability that the personal information has been or will be misused, and other factors that may be prescribed by regulation.

• Compliance agreements and public announcements. The Commissioner now has the power to enter into compliance agreements with an organization, where the Commissioner believes that there has been, or is about to be, a contravention of PIPEDA. The Commissioner is also empowered to make public any information obtained in the course of his duties, if it is in the public interest to do so.
• Additional updates. Other changes to PIPEDA include:
• an express exclusion from the scope of the Act of "business contact information," which includes an individual’s "position name or title, work address, work telephone number, work fax number or work electronic address";
• clarification that consent is only valid if it is reasonable to expect that the individual to whom the organization’s activities are directed understands the nature, purpose and consequences of the collection/use/disclosure of one’s personal information; and
• exemptions from consent requirements in the context of fraud detection or prevention, or communications with next-of-kin, and with respect to managing the employment relationship for federally regulated businesses (e.g., banks, airlines).

What’s Next?

The amendments to PIPEDA offer helpful clarity to organizations regarding consent requirements in various contexts. However, business should be mindful of the Commissioner’s expanded powers, and we suggest a review of current practices to ensure compliance with the enhanced provisions.

The mandatory breach reporting requirements will not be in force until regulations under PIPEDA are implemented, and no timeframe has been proposed at this time. Organizations can take this opportunity to prepare for the requirements by developing a robust breach response plan.

In another recent development, the federal government has proposed further amendments to PIPEDA in budget implementation of Bill C-59, aimed at broadening the Commissioner’s jurisdiction to include private-sector organizations engaged in non-commercial activities. The bill, which has reached third reading in the Senate, proposed to include the World Anti-Doping Agency within PIPEDA’s jurisdiction and to allow the government to designate additional non-commercial private-sector organizations going forward.