On June 18, 2015 the Digital Privacy Act, which amends the
Personal Information Protection and Electronic Documents Act
(Canada) ("PIPEDA") received Royal Assent. Most
provisions of the Digital Privacy Act are now in force. A copy of
the provisions can be found here.
As previously discussed in this blog, the Digital Privacy Act
makes a number of substantive and house-keeping amendments to
PIPEDA, and is the end result of multiple legislative attempts over
the past several years to make a number of updates to PIPEDA which,
for the most part, were without serious controversy.
The major changes now in force are:
Confirmation that employers of
federally-regulated businesses have implicit consent to deal with
their employee information in the context of the employment
relationship; this mirrors similar provisions contained in the
Personal Information Protection Act ("PIPA") of British
Columbia and of Alberta.
Introduction of a "business
transaction" exemption into PIPEDA, similar to the exemption
currently set out in PIPA; PIPEDA-regulated enterprises will now be
able to utilize this exemption when buying or selling a
Addition of an exemption permitting
disclosure between organizations for the purpose of investigating a
breach of agreement.
A requirement that the effectiveness
of a consent given to the organization must be considered
subjectively in the context of the relevant audience.
Clarification of the rules
surrounding witness statements, business contact information and
employee work product.
The most significant change being made by the Digital Privacy
Act is not yet in effect, and will be brought into force by
regulation at a future date. PIPEDA-regulated organizations will
now be subject to a compulsory privacy breach reporting system, and
a system of fines and penalties will be put in place for failure to
comply. The relevant threshold will be the "real risk of
significant harm" test currently used in Alberta's
compulsory breach reporting regime, which has been in place for
several years. The reporting system will involve both a report to
the federal Privacy Commissioner, and a report to the affected
individuals. Regulations will need to be developed and finalized to
support this system.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).