This is not the first attempt at privacy legislative reform in
Parliament. Bill C-12 (the government's own bill to
amend PIPEDA) remains stagnant since it was reintroduced to
Parliament after dying on the order table in the previous
On the same morning that Bill C-475 was up for debate, the Privacy Commissioner of Canada (the
"Commissioner") released a paper encouraging privacy reform that would
implement mandatory notification requirements and consequences for
businesses who fail to comply.
Despite the fact that Parliament is set to close at the end of
the month, there is a real possibility that this legislative change
will pass. While the timing of change is subject to debate,
businesses may be forced to review and tailor their privacy
policies and procedures in the near future.
The Current Privacy Regime
Within Canada, Alberta's Personal Information Protection Act
(PIPA) (as well as certain provincial health privacy laws) requires
businesses to give notice to affected individuals and the
appropriate privacy commissioner when personal information is
Although other provinces do not have explicit statutory
notification requirements, some businesses choose to follow the
Commissioner's Guidelines and voluntarily report privacy
breaches. These Guidelines may soon become mandatory.
The New Privacy Regime
Bill C-475 will amend the PIPEDA to require mandatory reporting
to the Commissioner of any incident involving the loss, disclosure,
or unauthorized access to personal information, where a reasonable
person would conclude that there exists a possible risk of harm to
an individual as a result of the loss, disclosure or unauthorized
The proposed legislation specifies that the following factors
are relevant to determine whether a loss, disclosure, or
unauthorized access to personal information creates a possible risk
the sensitivity of the personal information; and
the number of individuals whose personal information was
Upon receiving this information, the Commissioner may require
the business to notify affected individuals. The business may also
notify the affected individuals on their own initiative; and then
inform the Commissioner of such action. Failure to comply with the
notification requirements may result in penalties or
Bill C-475 has followed the security notification model
successfully utilized by Alberta's PIPA to force non-compliant
businesses to meet their privacy obligations. Specifically this is
done by increasing the Commissioner's powers to implement the
related penalties. It also permits the Commissioner to determine
whether notification is required.
Conversely, under Bill C-12, businesses have the responsibility
to determine whether or not to notify individuals in the
circumstances and report to the Commissioner only when a breach is
regarded as material. Moreover, the Commissioner's power is
limited to the investigation of complaints.
The biggest obstacle facing Bill C-475 is its use of vague
language. It creates uncertainty regarding the type of breach being
captured and imposes unreasonable obligations on businesses.
For example, a "possible risk of harm" is relatively
unclear and represents a lower threshold than that of Bill C-12
(which notes "a reasonable risk of significant
harm").Members of Parliament argue that Bill C-475 would
require organizations to notify the Commissioner of every potential
data breach regardless of context. As a result, costs would
dramatically increase. In that sense, businesses would report more
often and taxpayers would have to support the burden placed on the
Office of the Commissioner.
Naturally, this may cause more harm than benefit to privacy
reform in Canada.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).