It has been a long time coming, but this week the Personal Information Protection and Electronic Documents Act (“PIPEDA”)1 received a make-over, including new data breach notification provisions, with the enactment of the Digital Privacy Act. In the Canadian private sector, the federal PIPEDA applies to federal works, undertakings and businesses (more particularly, banks, telecommunications companies, airlines, railways and other interprovincial undertakings), as well as to provincially regulated businesses in provinces that do not have adequately similar privacy legislation.2
The new breach notification provisions, which are not yet in force3, have significant teeth. Fines of up to $100,000 per violation may be imposed when an organization knowingly violates the breach notification requirements.
The “trigger” for notification is a “real risk of significant harm to an individual”. In assessing the risk, organizations must have regard to factors such as potential humiliation and “damage to relationships” as well as potential financial harm to affected individuals.
The Digital Privacy Act amends PIPEDA in several important ways. The fundamental changes relate to the following:
- Specifying the elements of valid consent for the collection, use or disclosure of personal information;
- Permitting the disclosure of personal information without the knowledge or consent of an individual for the purposes of:
- identifying an injured, ill or deceased individual and communicating with their next of kin,
- preventing, detecting or suppressing fraud, or
- protecting victims of financial abuse;
- Permitting organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
- contained in witness statements related to insurance claims, or
- produced by the individual in the course of their employment, business or profession (this is sometimes referred to as “work product)”;
- Permitting organizations to use and disclose, without the knowledge or consent of an individual, personal information for several purposes related to prospective or completed business transactions;
- Permitting federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
- Requiring organizations to notify affected individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
- Requiring organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
- Creating offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
- Extending the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
- Providing that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with the sections of the Act to protect personal information in the private sector; and
- Modifying the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.
With these amendments, PIPEDA has become increasingly similar to the British Columbia and Alberta private sector privacy statutes. The provisions relating to employment relationships and to business transactions will provide greater clarity and practical direction for many organizations.
Some of the amendments to PIPEDA are controversial.
The requirements for valid consent now state that the consent of an individual is only valid “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting"4. Some commentators are concerned that the circumstances in which valid consent is obtained are now less clear than under the former provision, which simply required the consent of an individual to collect, use or disclose their personal information, subject to limited exceptions.5
PIPEDA now includes additional circumstances in which an organization is authorized to disclose personal information without consent of the individual, including with respect to investigations regarding breaches of agreements, contraventions of laws, detecting or suppressing fraud, as well as permitting disclosure without consent to non-government entities.6 Digital privacy experts have raised concerns that copyright holders will take advantage of these new provisions to inappropriately target suspected copyright infringers. Copyright holders see this as a welcome amendment, because digital copyright infringement has been particularly hard to fight in Canada. Further, privacy advocates have raised strong opposition to the expansion of warrantless disclosure to companies and government authorities, which some believe ignores a recent ruling of the Supreme Court of Canada which held that there is a reasonable expectation of privacy in internet subscriber information.7
The new data breach provisions have been less controversial, and many say that they are the first step to bringing Canadian law in line with data protection law in the rest of the world. An organization now must “report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”.8 The amendments also require notification directly to the individuals affected in particular circumstances. As noted above, any organization that knowingly contravenes these new provisions is guilty of an offence, which can include a fine of $100,000 for each violation.9
The breach notification provisions in the Digital Privacy Act are quite similar to the breach notification provisions in the Alberta Personal Information Protection Act. Decisions of the Alberta Privacy Commissioner which identify situations where notification is (or is not) required because the circumstances meet (or do not meet) the risk threshold of “a real risk of significant harm to an individual” will therefore provide useful guidance to organizations when determining whether notification is required under PIPEDA in a particular breach situation.