On Tuesday April 8, 2014 the Federal Government introduced
important amendments to the Personal Information Protection and
Electronic Documents Act (PIPEDA). Bill S-4, the "Digital
Privacy Act" was introduced by the Leader of the Government in
the Senate. The Bill is a part of "Digital Canada
150", a multi-pronged plan of the Government intended to
permit and encourage Canadians and Canadian businesses to
benefit from opportunities created by the digital economy. The
Government indicates that the Digital Privacy Act will ensure that
Canadians are safer and more secure when they surf the web or shop
online. In the view of the Government, the proposed amendments to
PIPEDA will better protect consumers; simplify rules for
businesses; and increase compliance with PIPEDA.
The following summarizes briefly key provisions of the Bill:
Mandatory Breach Notification
The creation of a legislative duty to notify of certain
breaches of security safeguards.
The obligation to notify arises where there has been
unauthorized access to or disclosure of personal information
resulting from such a breach.
Notice must be given to both the Privacy Commissioner of Canada
(OPC) and the individuals affected, providing it is reasonable in
the circumstances to believe that the breach creates a real risk of
There are factors provided to assess whether there is a real
risk of significant harm.
There are requirements for the content of the notice as well as
timing of the notice.
There may also be an obligation to report to other
organizations or government institutions if they may be able
to reduce the risk that could result to the affected
New Record Keeping Requirements
An organization must retain a record of every breach of
security safeguard whether or not they are obligated to report, and
provide the record to the OPC on request.
Exemptions from the requirement to obtain consent for: the
disclosure of personal information in the context of business
transactions, including mergers and acquisitions; the collection,
use and disclosure of work product; and the collection, use and
disclosure of information in witness statements when necessary to
assess, process or settle an insurance claim.
Higher threshold for valid consent - requirement that the
person understand the consequences of the collection, use or
disclosure of their personal information.
Additional Power for OPC
OPC has been given additional authority to enter into a
"compliance agreement" with an organization which she can
apply to the Court to enforce.
It will be an offence to fail to notify the OPC and the
affected individuals regarding breaches of security and to fail to
maintain a record of every breach (whether or not notice is
The penalties include fines of up to $100,000.
BLG will follow the progress of this Bill and issue Bulletins as
information becomes available which may include Bulletins focused
on the impact of the Bill on specific industries, including the
financial services sector. Details of committee consideration
(including public hearings) on the Bill in the Senate and the House
of Commons have not yet been made public. Companies and other
entities that need assistance interpreting the implications of the
Bill for their own organizations or who may wish to comment on the
Bill, in any future public process or otherwise, are welcome to
consult with their key contacts at BLG to ensure that the extensive
implementation and compliance is made available.
Employee turnover is an unavoidable reality for nearly all businesses. In addition to creating a number of financial and logistical difficulties, employee turnover also raises a number data security issues.
The Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff's personal information for the purpose of defending against a civil lawsuit is not a "commercial activity" and, ...
While corporate executives are increasingly becoming aware of their obligation to be informed of cybersecurity threats and the steps being taken by their company to prevent data breaches, it is equally important for executives to ensure that the employees are educated with respect to cyber threats.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).