After lengthy debates, Bill S-4, the Digital Privacy Act finally received royal assent on June 18, 2015, and is now law. The federal government introduced Bill S-4 on April 8, 2014, which marked the government’s third attempt since 2010 to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). But despite the passing of this bill, the mandatory breach notification provisions will not come into force until regulations setting out prescribed requirements have been enacted. The key amendments to PIPEDA are discussed below.
- PIPEDA has been amended to clarify that an individual’s consent is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which he/she is consenting.
- PIPEDA now contains a “business transaction” exemption that will allow organizations to use and disclose personal information without consent in connection with mergers, acquisitions, financings, etc. (both during due diligence and post-closing), provided certain conditions are met.
- Business contact information is no longer excluded from the definition of personal information. However, PIPEDA’s provisions dealing with personal information will not apply to the collection, use and disclosure of business contact information by an organization solely for the purpose of communicating or facilitating communication with an individual about his/her employment, business or profession. Importantly, “business contact information” is given a broad definition and includes business email addresses, which was not previously excluded from the definition of personal information under PIPEDA. Notwithstanding this exemption, organizations should be aware that email communications must comply with requirements under Canada’s Anti-Spam Legislation (see our December 2013 Blakes Bulletin: The Waiting Game Is Over: Canada's Anti-Spam Legislation Will Change the E-Communication Landscape).
- The Privacy Commissioner of Canada (Commissioner) now has the power to enter into a compliance agreement with an organization if the Commissioner believes, on reasonable grounds, that the organization has committed, is about to commit or is likely to commit a breach of PIPEDA. A compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance under PIPEDA. Failure to abide by the terms of a compliance agreement allows the Commissioner to apply to the Federal Court for certain remedies, including an order requiring compliance, or a hearing.
- There are now several new exceptions from PIPEDA’s consent requirement, including:
- Information that was produced by an individual in the course of his/her employment, business or profession may be collected, used and disclosed without consent provided the collection, use or disclosure is consistent with the purposes for which the information was produced (a so-called “work product” exemption).
- Organizations may disclose personal information to other organizations without consent where disclosure is reasonable for the purposes of investigating a breach of an agreement or contravention of the laws of Canada or a province, or for the purposes of detecting, suppressing or preventing fraud, provided that in either case it is reasonable to expect that disclosure with consent would compromise the investigation or ability to detect, suppress or prevent the fraud, as applicable.
- Information contained in a witness statement may be collected, use and disclosed without consent provided the collection, use or disclosure is necessary to assess, process or settle an insurance claim.
NOT YET IN FORCE
Once Bill S-4 provisions relating to mandatory breach notification are in force, they will require organizations to notify affected individuals and the Commissioner of a breach of security safeguards involving personal information under the organization’s control, where the breach poses a “real risk of significant harm” to the affected individuals. Government institutions and other organizations will also need to be notified in prescribed circumstances, including if the organization believes that the institution or other organization may be able to reduce or mitigate the risk of harm to the affected individuals. This standard for reportable breaches is similar to that under Alberta’s Personal Information Protection Act. However, organizations will also have to keep a record of all data breaches, including those that do not meet this harm threshold, and report all breaches to the Commissioner upon request. An organization that knowingly fails to report or record a breach as required by PIPEDA will be guilty of an offence punishable by fines of up to C$100,000.