Yesterday, Bill S-4, the Digital Privacy Act, was given first reading in the Senate. The Bill's full title, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, demonstrates the Federal government's obvious objective: to update Canada's federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
An in-depth analysis may be premature as this is only a first reading, however, there are some noteworthy proposed changes to PIPEDA.
Proposed Fines for Failure to Record and Report Breaches
- The big ticket items in Bill S-4 are the reporting requirements for breaches of personal information.
- Breaches of security safeguards involving personal information
must be reported to the federal Privacy Commissioner "if it is
reasonable in the circumstances to believe that the breach creates
a real risk of significant harm to an individual." Individuals
must be notified of any breach of security safeguards involving
their personal information in the same circumstance.
- A broad definition of "significant harm" is proposed in section 10.1(7).
- The proposed factors for "real risk of significant harm" are set out in section 10.1(8) (sensitivity of the personal information, probability of misuse, and additional prescribed factors).
- An organization which knowingly fails to keep prescribed records for breaches or knowingly fails to report breaches in compliance with PIPEDA may be liable by fines as large as $100,000.00 (indictable offence) and $10,000.00 (summary conviction).
Proposed Amendments Impacting Personal Information of an Employee of an Organization
- The government proposes amending the definition of "Personal Information" to read "information about an identifiable individual", removing the exclusion for "the name, title or business address or telephone number of an employee of an organization".
- Bill S-4 proposes to broaden the application of PIPEDA to include both employees of, or an applicant for employment with, an organization. An exclusion is proposed for business contact information an organization collects, uses or discloses "solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession."
- The proposed amendment would introduce section 7(1)(b.2), allowing organizations to collect personal information without the knowledge or consent of an individual if it was "produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced."
Proposed Amendments Authorizing Disclosure of Personal Information
- The Digital Privacy Act proposes to include additional circumstances in section 7(3) which authorize organizations to disclose personal information without the knowledge or consent of the individual.
- The circumstances contemplated by Bill S-4 include investigations involving: breaches of an agreement or contravention of the laws of Canada or a province (section 7(3)(d.1)); fraud detection and suppression (section 7(3)(d.2)); and financial abuse (section 7(3)(d.3)).
- Disclosure is permitted when it is reasonable to expect the
disclosure with knowledge or consent of the individual would
compromise the investigation.
- With respect to investigations regarding breaches of agreements, contraventions of laws or detecting or suppressing fraud, the disclosure must be reasonable for the purposes of the investigation, however, the disclosure may be to a third party organization who is not a government institution or part thereof.
- With respect to investigations of financial abuse, the proposed section 7(3)(d.3) would permit disclosure to a government institution as well as next of kin or an authorized representative. The latter two are not defined by Bill S-4.
- The proposed addition of sections 7.2-7.4 will facilitate the
disclosure and use of personal information in prospective and
completed business transactions without the knowledge or consent of
- With respect to prospective business transaction, the proposed section 7.2 requires that the use and disclosure is solely related to the transaction, appropriate security safeguards are in place, the information is destroyed if the transaction does not proceed AND the personal information is necessary to determine whether the organization wants to proceed with and complete the transaction.
Proposed Requirement for Valid Consent
- The Digital Privacy Act proposes to introduce section 6.1 to PIPEDA, which would slightly alter PIPEDA's third principle – consent. PIPEDA currently requires the consent of an individual to collect, use or disclose their personal. The proposed section 6.1 states consent is only valid if the individual would understand the nature, purpose and consequence of the collection, use or disclosure of the personal information to which they are consenting.
Proposed Addition of Compliance Agreements
- The proposed section 17.1 will grant the federal Privacy Commissioner the broad power to enter into compliance agreements with organization if the Commissioner has reasonable grounds to believe an organization committed, is about to commit or is likely to commit an act or omission that contravenes PIPEDA. The Commissioner is granted the power to include any terms in a compliance agreement, and the Commissioner may obtain a mandatory order in the event the compliance agreement is not complied with.
- Importantly, the proposed section 17.1(4) states that a compliance agreement does not preclude an individual from applying for a hearing, nor does it preclude prosecution for an offence.
For those interested in a redline version of PIPEDA with the first reading amendments from Bill S-4, David T.S. Fraser has a prepared this valuable redline on his indispensable Canadian Privacy Law Blog. Thank you, David!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.