On June 18, 2015, Bill S-4, better known as the Digital Privacy Act (DPA), received Royal Assent and became law.[1]  The DPA makes significant changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) and raises the profile of the Privacy Commissioner.  Prior to the DPA, PIPEDA had more bark than bite – breach reporting was optional, and fines could only be applied in limited circumstances.  However, PIPEDA is about to gain some teeth: once the relevant provisions come into force, the DPA will require mandatory breach reporting to both the Privacy Commissioner and the affected individuals, with associated fines of up to $100,000 for a failure to report or to adequately document a breach.

Overview

PIPEDA and the amendments in the DPA apply to private sector organizations that collect, use or disclose information about Canadian citizens in the course of commercial activities (regardless of whether or not they have charitable or non-profit status[2]), and to information about employees of the organization if the information is collected, used, or disclosed “in connection with the operation of a federal work, undertaking or business,” a phrase that broadly applies to federally regulated industries.

It is of note that PIPEDA does not apply universally throughout Canada; “substantially similar” provincial legislation, as declared by federal regulation, applies in lieu of PIPEDA to non-federally regulated organizations in the provinces of British Columbia, Alberta, Manitoba (once the its privacy legislation comes into force) and Quebec.[3] This means the amendments in the DPA may not affect certain organizations in British Columbia, Alberta and Quebec.  

Significantly impacting organizations falling under PIPEDA’s purview, the DPA made the following key amendments:

The definition of “consent” has changed:

PIPEDA mandates informed consent and a clear statement regarding the purpose behind the collection of personal information. The DPA adds that consent is only valid if it is reasonable to expect that the individual understands what they are consenting to: if they understand the nature, purpose and consequences of the collection, use or disclosure of their personal information.[4]  This appears to create a scale of consent; communications directed at a more sophisticated individual can reasonably use more sophisticated language, while clear, simple language should be used when dealing with vulnerable populations such as children or seniors.[5]  However, this may not be as simple as it seems.  Take the popular example of social media: a platform such as Twitter collects a large amount of personal information from a wide demographic of people.  Could Twitter use existing users’ posted information to determine what sophistication of language is required for valid consent?  Would they be required to request information such as age before directing someone to a personalized consent page?

Moreover, a common point of confusion for many organizations is whether consent obtained pursuant to Canada’s Anti-Spam Legislation (CASL)[6] may be translated to consent under PIPEDA, and vice versa.  This is not generally the case.  Only where the purpose for obtaining consent is specific enough to cover both pieces of legislation will a single consent suffice.  Organizations may wish to review their consent provisions to determine whether consent should be re-obtained to ensure it meets the new definition.

A definition for “business contact information” has been added:

In addition to the individual’s name, position and telephone number, business contact information such as a work address, fax number and work email address may now be disclosed without violating that individual’s privacy under PIPEDA.[7]  This is similar to the so-called “business card exception” under CASL, where consent to an unsolicited commercial electronic message is implied where the person has disclosed their contact information without indicating that they would not like to receive such messages, and where the message is relevant to the person’s business, their role, functions or duties in the business, or their official capacity.[8] 

Exceptions to consent for business transactions

Of potential benefit to employers, the DPA expanded the exceptions for when organizations may validly disclose personal information without knowledge or consent.  For example, information produced by the individual in the course of employment may now be disclosed as long as it is used in a consistent manner.[9] Additionally, organizations party to prospective business transactions may now use and disclose personal information necessary to a transaction, subject to an agreement to protect that information and destroy it if the transaction does not proceed.[10]

Mandatory breach reporting: (Not yet in force)

  1. To the Privacy Commissioner

The DPA introduces, for the first time, mandatory breach reporting at the federal level in Canada.  The Commissioner must be notified of any breach that creates a real risk of significant harm to an individual, as soon as feasible.[11]

The threshold for notification of a “real risk of significant harm” is the same as that adopted by Alberta in its 2009 amendments to the Personal Information Protection Act (PIPA).[12]  PIPA was the first privacy legislation in Canada that required mandatory breach notification, and it appears that the federal government is following in Alberta’s footsteps, at least with regard to the reporting threshold.  The federal definition of significant harm is broad, and includes bodily harm, humiliation and damage to reputation as well as identity theft and financial loss, among others.[13]  Although undefined in Alberta’s PIPA, the provincial Information and Privacy Commissioner has considered similar criteria such as a real risk of embarrassment, harassment, financial loss, reputational harm, identity theft and fraud sufficient to ground a finding of significant harm.[14]  While these decisions are not binding on the federal Privacy Commissioner, they will likely be highly persuasive, particularly in similar fact scenarios.

  1. To the impacted individuals

All individuals who may reasonably face a real risk of significant harm from the breach must also be notified directly and as soon as feasible following the breach.  This notification must allow the individual to understand how the breach may impact them and what steps they can take to reduce or mitigate the risk, as the case may be.[15]

The DPA is more onerous than PIPA with respect to individual reporting, and as such, there is no persuasive provincial guidance from Alberta.  Under PIPA, once a breach has been reported to the Commissioner, the Commissioner may only require that the affected individuals be notified as a subsequent step. Elsewhere, although Manitoba’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) requires individual notification of any privacy breach, it is not yet in force.[16]

Based on a plain language reading of the DPA, the Commissioner and the affected individual(s) will need to be notified simultaneously, which may risk over-reporting to individuals as the Commissioner may later determine that the breach did not in fact meet the threshold test of a real risk of significant harm.  Individual notification may also increase the number of individuals applying to the court for relief following the Commissioner’s findings, although the quantum of damages awarded in such actions to date has been low,[17] or elevate the organization’s risk of an individual civil action or even a class action following a privacy breach.[18]

  1. To other organizations or government institutions

Other organizations or government institutions that may be able to reduce or mitigate the risk flowing from a privacy breach must also be notified as soon as feasible following a breach.[19]  This shifts the onus away from the Commissioner to make the recommendation in their report and onto the responsible organization.  Regulation is needed to flesh out the details of this requirement, such as the conditions for notification.

The mandatory reporting requirements will come into force by Order in Council, sometime in the future.  Prior to this, the government will consult with stakeholders and the Office of the Privacy Commissioner to develop the corresponding regulations.

The Commissioner may report any information to the public:

Prior to the DPA, the Commissioner had a narrow power to make any information relating to personal information management practices public if it was in the public interest.  The DPA significantly broadens this power to include any information that comes to the Commissioner’s knowledge during the exercise of their powers or duties.[20]  During a privacy investigation or audit, organizations may now need to ensure that arrangements have been made to protect any confidential trade information or trade secrets.

Failure to report a breach or a lack of record-keeping may result in significant fines:

The DPA introduces fines of up to $100,000 for failing to report any breach to both the Commissioner and the impacted individual as soon as feasible after the breach.  Organizations may also be fined up to $100,000 for failing to maintain records of any breach.  This is very similar to the fine regime in Alberta under PIPA.  However, due to the differences in mandatory reporting requirements (Alberta organizations must report to one Commissioner, while federal organizations must report to the Commissioner and all the impacted individuals), it is not yet clear how these provisions will be interpreted – whether the $100,000 limit would apply per organization, per breach event, per individual affected, or in some other way.  For example, if ten subscribers’ personal information was taken from an organization on two different days, and the breaches were not reported, the maximum fine might be $100,000, $200,000, $1,000,000 or possibly some other amount.  More information on this issue will likely be provided in the course of developing and implementing regulations related to mandatory reporting.

Tips for employers and organizations:

  • Review existing consent forms to ensure that the language is clear and reasonable, particularly when dealing with vulnerable populations, and re-obtain consent if needed.
  • Review and update privacy policies and security safeguards to address reporting procedures.
  • Ensure that privacy policies address record-keeping, and that employees know how to proceed should a privacy breach occur.
  • As a general tip, privacy policies and security safeguards should be monitored and updated on a regular basis to ensure they are current and are still being followed.

Although the DPA’s amendments have given PIPEDA some teeth, how to avoid its bite remains to be determined by regulation.  For now, organizations should concentrate on ensuring they have consent provisions that comply with the amendments, and should keep an eye out for the impending changes, including the coming into force of the mandatory reporting regime.