As of June 18, 2015, amendments to the Personal Information Protection and Electronic Documents Act in Bill S-4 are in effect, including the following:
- Broadened regulatory powers of the Privacy Commissioner of Canada, including the ability to enter into compliance agreements with organizations
- A clarified concept of “valid consent” for the collection, use and disclosure of personal information
- Permitted disclosure of information in a business transaction under certain circumstances
- Exceptions to the consent requirement, including for certain investigations
A breach notification and recordkeeping requirement is expected to come into effect at a later date. When it does, organizations will be required to notify affected individuals and the Office of the Privacy Commissioner of Canada in case of a security breach if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” Organizations will also be required to notify any other organization that can reduce the risk or mitigate the harm from the breach.