Bill S-4, the Digital Privacy Act (the Act), has now been passed by the Senate and House of Commons, and many provisions are scheduled to come into force upon decree. It will have significant impacts on the treatment of information by organizations that are subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) either because they are federally regulated and fall under the legislative authority of the Parliament of Canada, or the organization operates within a province that does not have in place legislation that has been determined to be substantially similar to PIPEDA.
Exemptions for businesses
Three amendments are noteworthy for businesses subject to PIPEDA.
First, there is now an exemption from consent requirements for collection, disclosure and use of personal information when the information at issue is business contact information (including an email address). The exemption will only apply, however, where the collection, disclosure or use of the information is done solely for the purpose of communicating or facilitating communication with the individual in relation to his or her employment, business or profession. The Act would still prohibit organizations governed by the legislation from more general disclosure of business contact information to third parties without first receiving consent.
Second, the Act specifically allows for sharing personal information in the context of due diligence for business transactions such as M&As, a partial sale of assets or transfer upon insolvency, without consent, provided certain conditions are met by the parties to the transaction. Organizations engaging in the kinds of business transactions covered by the proposed changes will need to ensure compliance with the statutory requirements that resemble those found in Alberta's privacy legislation.
Some of the more controversial amendments to PIPEDA include the ability of organizations to disclose personal information to other organizations if the disclosure is for the purposes of investigating a breach of an agreement or a contravention of a Canadian law or the disclosure is for the purposes of detecting, preventing or suppressing fraud.
These new provisions have been both criticized and applauded. The bill has been sharply criticized for opening the door to a wide expanse of warrantless searches and secret information sharing, creating the possibility of increased litigation against private citizens for alleged copyright infringement, and allowing Internet service providers to share personal information with any entity investigating a breach of contract or illegal activity. However, the legislation is also applauded for facilitating the ability of organizations to build robust anti-money laundering and fraud detection/prevention programs not only within Canada, but within an international context for multi-national organizations.
Finally, the Act will make it mandatory for businesses to notify both individual customers and the privacy commissioner of Canada if they have suffered a data security breach that could "create a real risk of significant harm" to individuals. The amendments further require organizations to keep and maintain records of any such breaches, making them available to the privacy commissioner upon request.
Greater consequences for non-compliance
Notably, the amendments create a criminal offence for an organization to knowingly fail to comply with the notification and record-keeping requirements following a breach of data security.
If found guilty of such an offence, organizations may be liable for fines of up to $100,000. In addition, the amendments would give the privacy commissioner greater flexibility to disclose information gathered while investigating an organization for breach of the information security safeguards in PIPEDA and give the privacy commissioner additional powers to enter into and enforce compliance agreements with organizations coming under the privacy commissioner's jurisdiction.
The bottom line
With these changes to PIPEDA, organizations gain more flexibility when dealing with personal information for certain business and transactional purposes, provided the new conditions related to business contact information and the use of personal information in the course of a business transaction are met. The proposed changes raise the stakes for non-compliance with PIPEDA but greatly expand the permissible scope and extent of information sharing. In addition, all organizations will be reviewing and assessing the scope of their ability to implement national/international data-sharing projects to detect and deter fraud or investigate breaches of the law.
Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global legal practice. We provide the world's pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members ('the Norton Rose Fulbright members') of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.