Bill S-4, also known as the Digital Privacy Act (Canada) (the “Act”), was passed by Parliament and received Royal Assent on June 18, 2015, a little more than a year since its introduction in the Senate in April, 2014. The Act, now cited as S.C. 2015 c.32, is in force except for sections 10, 11-14, 17(1), 17(4), 19, and 22 to 25 which come into force on dates to be fixed by order of the Governor in Council.
The Act makes several important amendments to the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), including the addition of breach reporting requirements, business exemptions for data transfers, new enforcement powers for the Privacy Commissioner of Canada (the “Commissioner”), and new circumstances in which an individual's personal information can be disclosed without his or her knowledge or consent.
Mandatory Breach Reporting
Section 10 of the Act adds a new Division 1.1 to section 10 of PIPEDA. Once this clause comes into force, PIPEDA will require organizations that suffer a data breach that creates a “real risk of significant harm” to one or more individuals to take the following measures, as soon as feasible:
- Report the incident to the Commissioner;
- Notify affected individuals of the breach and of any steps they can take to minimize harm, with sufficient detail so that the individuals understand the significance of the breach to them;
- Where the organization has notified affected individuals, it must also notify any other organizations or government entities of the breach if it believes that such action may reduce the risk of harm; and
- Maintain a record of every security data breach and make such records available to the Commissioner on request.
The Act defines “significant harm” broadly to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identify theft, negative effects on the credit record and damages to or loss of property”.
Further, the Act determines the existence of a “real risk of significant harm” by reference to the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused, and any other factors that may be prescribed by regulation.
Section 24 of the Act will modify section 28 of PIPEDA to create offences for non-compliance with data security breach obligations. After this section comes into force, an organization that fails to report and record a breach or that hinders the Commissioner’s efforts to investigate a complaint or perform an audit may face fines of up to $10,000 for a summary offence or up to $100,000 for an indictable offence.
Exemptions for Business Transactions
Section 7 of the Act, now in force, clarifies how personal information can be transferred in the context of mergers, acquisitions, financings and other business transactions. Organizations are now expressly permitted to disclose individuals’ personal information without consent for the purpose of a business transaction if the receiving organization uses the information solely for purposes related to the transaction and has proper data safeguards, provided the disclosure is necessary for determining whether to proceed with the transaction (i.e., to conduct due-diligence) or for completing post-closing arrangements.
If the transaction does not proceed, the receiving organization must return or destroy all personal information that was received. Alternatively, if the transaction closes, the receiving organization is permitted to continue to use or disclose the information, provided it does so solely for the purposes of carrying on the business and in a manner consistent with the purposes for which the information was collected. In addition, the parties must continue to protect the personal information, and the affected individuals must be notified of the disclosure by one of the parties to the transaction within a reasonable time.
The business transaction exemption does not apply where the primary function of the transaction is to buy, sell, or lease personal information. The new exemptions set out in section 7 of the Act bring welcome clarity to the treatment of personal information during business transactions.
New Enforcement Powers for the Commissioner
Section 15 of the Act is now in force and grants the Commissioner means to enter into compliance agreements with organizations that he or she reasonably believes have, or are about to, violate provisions in PIPEDA. Such an agreement can include any terms the Commissioner considers necessary to ensure compliance with PIPEDA. If a counterparty organization breaches the agreement, the Commissioner is authorized to apply to the Federal Court for a compliance order or a hearing.
It is important to note that being party to a compliance agreement will not insulate the organization from claims made by individuals or from the prosecution of an offence underPIPEDA.
Disclosure without Consent or Knowledge of the Individual
Section 6(1) of the Act amends section 7(3) of PIPEDA such that organizations may disclose personal information to other organizations, without the consent or knowledge of the individual and without a court order, if the disclosure is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation. Organizations may choose to voluntarily notify the affected individuals, notwithstanding that PIPEDA does not require the giving of notice in the aforementioned circumstances.
In situations where financial abuse is suspected, organizations can disclose personal information to government institutions or the individual’s next of kin without the consent or knowledge of the individual and without a court order, provided there are reasonable grounds to believe the individual is a victim of “financial abuse”, the information is solely used to avert or investigate the abuse, and it is reasonable to expect that obtaining consent from the affected individual would undermine investigative efforts.
There is some uncertainty as to how the changes to section 7(3) of PIPEDA will be reflected in practice. The changes to this section free Canadian organizations, in applicable circumstances, to disclose personal information in their possession for purposes of investigation of breaches of agreements and laws, which could result in significantly more disclosures of personal information, without notice or warrants, in situations involving legal disputes.