In an apparent attempt to apply pressure to the government to
amend the federal private sector privacy law, New Democrat Digital
Issues Critic Charmaine Borg recently introduced a private members
bill that would introduce mandatory data breach
reporting and provide the Privacy Commissioner of Canada with
direct enforcement powers.
The New Democrat bill, known as C-475, differs from C-12 in
several important ways.
First, C-475 would require that organizations report data
breaches to the Privacy Commissioner, who would then determine
whether the organization would be required to notify affected
individuals (although organizations would not be precluded from
providing such notice). By contrast, Bill C-12
includes a provision that would require organizations to report
data breaches to the Privacy Commissioner, as well as to notify
affected individuals in certain circumstances.
Bill C-475 also contemplates what appear to be lower standards
for the types of breaches that require reporting, or with respect
to which the Privacy Commissioner may require notification of
affected individuals, likely resulting in more reports and
notifications than under the government bill.
In this regard, Bill C-12 requires organizations to report
material breaches of security safeguards involving personal
information; Bill C-475 requires organizations to notify the
Privacy Commissioner where a reasonable person would conclude that
there exists a possible risk of harm to an individual as a
result of the breach. With respect to notification of affected
individuals, Bill C-12 would require organizations to notify an
individual where it is reasonable to conclude that the breach
creates a real risk of significant harm to the individual;
Bill C-475 would provide that the Privacy Commissioner may require
an organization to notify affected individuals to whom there is
“an appreciable risk of harm” as a result of the
Bill C-475 would also provide the Privacy Commissioner with new
enforcement powers respecting compliance with PIPEDA as a whole,
including the ability to issue orders requiring organizations to
take corrective action to come into compliance with the law and to
publish notices of any such action taken or proposed to be
taken. The Bill would also provide the Privacy Commissioner
with the ability to seek from the Federal Court penalties of up to
$500,000 against organizations that do not comply with orders
issued by the Commissioner.
The Bill would also create a private right of action whereby
individuals affected by any violation of PIPEDA that was made the
subject of a Privacy Commissioner order may seek damages for losses
suffered as a result of the non-compliance.
At the same time, the New Democrat bill omits several important
business-friendly reforms contained in the government bill,
including a clearer and more expansive carve out for business
contact information and a prospective business transaction
exception that would allow businesses to disclose personal
information without consent in the context of certain transactions,
including mergers, acquisitions and financing.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).