Nearly a decade after British Columbia and Alberta enacted their own private sector privacy laws, Manitoba's Legislative Assembly recently passed the Personal Information Protection and Identity Theft Prevention Act (PIPITPA or the Act), a privacy statute governing the private sector in that province.
The Act, which has yet to be proclaimed in force, will apply to the collection, use and disclosure of personal information by organizations carrying on commercial activities in Manitoba, and will govern the handling of both consumer and employee information. While much of the Act is modeled after Alberta's Personal Information Protection Act (PIPA), several differences are worth noting:
Oversight – strangely,unlike the other federal and provincial private sector privacy laws, which are administered and enforced by their respective privacy commissioners, the new Manitoba law does not establish a privacy commissioner's office to oversee the bill. Moreover, it lacks any sort of complaint mechanism by which individuals might file complaints relating to non-compliance with the Act (although the Act gives limited procedural powers to the province's Ombudsman, an existing office that otherwise investigates and reports on general complaints with respect to the operation of government). This odd structure is apparently due to the fact that the law originated as a private member's bill, which, under legislative rules, could not contain provisions that would have placed additional financial obligations on the government.
Private right of action - the Act provides individuals a statutory right of action to claim damages arising out of failure to safeguard personal information or to provide notification of a privacy breach. Unlike the private sector privacy statutes in Alberta and British Columbia, the Manitoba law does not make its private right of action conditional on a finding by the regulator of a violation of the statute; rather, aggrieved individuals can directly bring an action, without any oversight or involvement whatsoever by the Ombudsman. The statute does not explicitly indicate whether the damages available through such an action would include moral damages or damages for non-pecuniary losses, although this has certainly been the case in other jurisdictions. Given the lack of a complaint mechanism or the requirement that the Ombudsman make a finding of non-compliance before an action for damages may be initiated, the enforcement of the Act may largely be driven by private litigation, and could serve to encourage the filing of class action suits for privacy breaches in Manitoba. Although the Act does provide that non-compliance with the key requirements of the Act constitutes an offence carrying fines of up to $100,000 for businesses, it seems unlikely that scarce Crown resources would be directed at the investigation and prosecution of any but the most egregious of privacy violations.
Breach notification - one of the other distinguishing features of the Act is the breach notification provision, which requires organizations to notify affected individuals directly, instead of notifying a regulator, if their personal information has been stolen, lost or accessed in an unauthorized manner. Notice is not required where a law enforcement agency investigating the breach instructs the organization to not disclose the breach or where the organization itself is satisfied that it is not reasonably possible for the information to be used unlawfully. Unlike Alberta's PIPA, the Act does not contain a harm threshold for triggering the notification requirement, which suggests that all breaches can potentially trigger notification.
The handling of personal information by private sector organizations in Manitoba is currently governed by the federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information in the course of commercial activity, but does not apply to the handling of employee data by most employers in the province, as PIPEDA applies only to employee personal information that is handled by federally regulated organizations. The new Manitoba law would introduce a privacy framework for the handling of employee personal information.
PIPEDA will continue to apply - even after PIPITPA is proclaimed in force - until the Governor in Council is satisfied that the Manitoba law is substantially similar to Part 1 of PIPEDA. However, without a complaint mechanism, it remains to be seen whether PIPITPA, in its current form, would be considered "substantially similar" to the federal law, raising the possibility that Manitoba organizations might be faced with complying with two overlapping privacy laws. To avoid this possibility, the Government of Manitoba could introduce a bill amending PIPITPA so as to introduce a complaint mechanism and clarify an oversight role.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
