Last week Bill C-475 (a private member’s bill that proposes to amend the Personal Information Protection and Electronic Documents Act (PIPEDA)) was up for debate at second reading in Parliament. Bill C-475 would impose an obligation on businesses to report security breaches.
This is not the first attempt at privacy legislative reform in Parliament. Bill C-12 (the government’s own bill to amend PIPEDA) remains stagnant since it was reintroduced to Parliament after dying on the order table in the previous session.
On the same morning that Bill C-475 was up for debate, the Privacy Commissioner of Canada (the “Commissioner”) released a paper encouraging privacy reform that would implement mandatory notification requirements and consequences for businesses who fail to comply.
Despite the fact that Parliament is set to close at the end of the month, there is a real possibility that this legislative change will pass. While the timing of change is subject to debate, businesses may be forced to review and tailor their privacy policies and procedures in the near future.
The Current Privacy Regime
Within Canada, Alberta’s Personal Information Protection Act (PIPA) (as well as certain provincial health privacy laws) requires businesses to give notice to affected individuals and the appropriate privacy commissioner when personal information is compromised.
Although other provinces do not have explicit statutory notification requirements, some businesses choose to follow the Commissioner’s Guidelines and voluntarily report privacy breaches. These Guidelines may soon become mandatory.
The New Privacy Regime
Bill C-475 will amend the PIPEDA to require mandatory reporting to the Commissioner of any incident involving the loss, disclosure, or unauthorized access to personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss, disclosure or unauthorized access.
The proposed legislation specifies that the following factors are relevant to determine whether a loss, disclosure, or unauthorized access to personal information creates a possible risk of harm:
- the sensitivity of the personal information; and
- the number of individuals whose personal information was involved.
Upon receiving this information, the Commissioner may require the business to notify affected individuals. The business may also notify the affected individuals on their own initiative; and then inform the Commissioner of such action. Failure to comply with the notification requirements may result in penalties or liabilities.
Bill C-475 has followed the security notification model successfully utilized by Alberta’s PIPA to force non-compliant businesses to meet their privacy obligations. Specifically this is done by increasing the Commissioner’s powers to implement the related penalties. It also permits the Commissioner to determine whether notification is required.
Conversely, under Bill C-12, businesses have the responsibility to determine whether or not to notify individuals in the circumstances and report to the Commissioner only when a breach is regarded as material. Moreover, the Commissioner’s power is limited to the investigation of complaints.
The biggest obstacle facing Bill C-475 is its use of vague language. It creates uncertainty regarding the type of breach being captured and imposes unreasonable obligations on businesses.
For example, a “possible risk of harm” is relatively unclear and represents a lower threshold than that of Bill C-12 (which notes “a reasonable risk of significant harm”). Members of Parliament argue that Bill C-475 would require organizations to notify the Commissioner of every potential data breach regardless of context. As a result, costs would dramatically increase. In that sense, businesses would report more often and taxpayers would have to support the burden placed on the Office of the Commissioner.
Naturally, this may cause more harm than benefit to privacy reform in Canada.