On April 8, 2014, the Canadian Government introduced the
Digital Privacy Act in the Senate. Bill S-4 proposes to
amend the Personal Information Protection and Electronic
Documents Act (PIPEDA) to include, among other things,
mandatory notification of data breaches, enhanced powers for the
Privacy Commissioner (Commissioner), and a business-friendly
exemption for transfers of personal information for the purposes of
a proposed transaction.
The proposed amendments are similar to those first tabled in
2010, which were never enacted. However, Bill S-4 omits the lawful
access provisions proposed in 2010 and introduces new compliance
powers for the Commissioner.
Mandatory Breach Notification
If the amendments are enacted as they have been introduced,
organizations that suffer a breach of personal information that
creates a "real risk of significant harm" to an
individual will be required to:
report the breach to the Commissioner;
notify the individual whose personal information is at issue of
the breach and provide any steps the individual can take to protect
herself, as soon as possible;
notify any other organization or government institution if
doing so might mitigate the harm caused by the breach, as soon as
possible (under these circumstances, disclosure may be made without
the knowledge or consent of the individual); and
information under the organization's control.
The format of the report and notification is to be prescribed by
regulation. Failure to comply with the above requirements could
result in a fine of up to $100,000 per offence.
The proposed amendments broadly define "significant
harm" to include the following: bodily harm; humiliation;
damage to reputation or relationships; loss of employment, business
or professional opportunities; financial loss; identity theft;
negative effects on credit record; and damage to or loss of
property. The presence of a "real risk of significant
harm" is determined by reference to the sensitivity of the
personal information, the probability that the personal information
has been or will be misused, and other factors that may be
prescribed by regulation.
Bill S-4 will enhance the Commissioner's powers through
"compliance agreements". When the Commissioner believes
that an organization has or is about to contravene PIPEDA, the
Commissioner may propose an agreement with the organization on any
terms the Commissioner considers necessary to ensure compliance.
The Commissioner will be empowered to seek a court order requiring
the organization to comply if it breaches the agreement.
The potential range of terms the Commissioner may include in a
compliance agreement is not yet known. The enforcement powers in
Canada's Anti-Spam legislation (CASL) may serve as a useful
indicator. For example, CASL includes warrant powers that permit
physical entry into a building to verify compliance or investigate
contraventions, and undertaking powers similar to the proposed
Transferring Personal Information in Business Transactions
The transfer of personal information is often necessary in
business transactions such as acquisitions or financings. If
enacted, the amendments will permit organizations to disclose and
use personal information without the knowledge or consent of the
individual if necessary to determine whether to proceed with a
transaction. Once shared, the information must be used and
disclosed only for purposes related to the proposed transaction;
protected by security safeguards, and returned or destroyed should
the transaction not proceed.
If the transaction closes, the parties may agree to the
continued use and disclosure of the personal information if
necessary to carry on the business. However, the information must
only be used for the purposes for which it was collected and
affected individuals must be notified of the disclosure within a
reasonable timeframe of the transaction.
Collection and Disclosure Without Knowledge or Consent
Bill S-4 includes new exceptions to the restrictions on the
collection and use of personal information in the employment
context, for the purpose of detecting or preventing fraud. Personal
information may be collected, used and disclosed by federal
undertakings (such as banks or airlines) without consent when
necessary to manage or terminate an employment relationship.
However, the individual must nonetheless be informed that her
information is being collected, used or disclosed.
The Digital Privacy Act also clarifies that consent is
only valid when it is reasonable to expect that the individual
would understand the purpose and consequences of the collection,
use or disclosure of her personal information.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).