On Tuesday April 8, 2014 the Federal Government introduced
important amendments to the Personal Information Protection and
Electronic Documents Act (PIPEDA). Bill S-4, the "Digital
Privacy Act" was introduced by the Leader of the Government in
the Senate. The Bill is a part of "Digital Canada
150", a multi-pronged plan of the Government intended to
permit and encourage Canadians and Canadian businesses to
benefit from opportunities created by the digital economy. The
Government indicates that the Digital Privacy Act will ensure that
Canadians are safer and more secure when they surf the web or shop
online. In the view of the Government, the proposed amendments to
PIPEDA will better protect consumers; simplify rules for
businesses; and increase compliance with PIPEDA.
The following summarizes briefly key provisions of the Bill:
Mandatory Breach Notification
The creation of a legislative duty to notify of certain
breaches of security safeguards.
The obligation to notify arises where there has been
unauthorized access to or disclosure of personal information
resulting from such a breach.
Notice must be given to both the Privacy Commissioner of Canada
(OPC) and the individuals affected, providing it is reasonable in
the circumstances to believe that the breach creates a real risk of
There are factors provided to assess whether there is a real
risk of significant harm.
There are requirements for the content of the notice as well as
timing of the notice.
There may also be an obligation to report to other
organizations or government institutions if they may be able
to reduce the risk that could result to the affected
New Record Keeping Requirements
An organization must retain a record of every breach of
security safeguard whether or not they are obligated to report, and
provide the record to the OPC on request.
Exemptions from the requirement to obtain consent for: the
disclosure of personal information in the context of business
transactions, including mergers and acquisitions; the collection,
use and disclosure of work product; and the collection, use and
disclosure of information in witness statements when necessary to
assess, process or settle an insurance claim.
Higher threshold for valid consent - requirement that the
person understand the consequences of the collection, use or
disclosure of their personal information.
Additional Power for OPC
OPC has been given additional authority to enter into a
"compliance agreement" with an organization which she can
apply to the Court to enforce.
It will be an offence to fail to notify the OPC and the
affected individuals regarding breaches of security and to fail to
maintain a record of every breach (whether or not notice is
The penalties include fines of up to $100,000.
BLG will follow the progress of this Bill and issue Bulletins as
information becomes available which may include Bulletins focused
on the impact of the Bill on specific industries, including the
financial services sector. Details of committee consideration
(including public hearings) on the Bill in the Senate and the House
of Commons have not yet been made public. Companies and other
entities that need assistance interpreting the implications of the
Bill for their own organizations or who may wish to comment on the
Bill, in any future public process or otherwise, are welcome to
consult with their key contacts at BLG to ensure that the extensive
implementation and compliance is made available.
Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U)) is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails...
The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, should be interpreted.
The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action, a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach.
The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the "EU Decision") raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).