On June 18, 2015, Canada’s Senate and House of Commons passed the Digital Privacy Act to amend the country’s federal Personal Information Protection and Electronic Documents Act (PIPEDA). Many of the amendments are scheduled to come into force on a date to be determined by the government. The revised requirements (highlighted below) will have a significant impact on the treatment of personal information by organizations that are subject to PIPEDA. These are organizations that either are federally regulated and fall under the legislative authority of the Parliament of Canada, or operate within a province that does not have in place data protection legislation that has been determined to be substantially similar to PIPEDA (all Canadian provinces other than Alberta, British Columbia and Quebec).
Three amendments are noteworthy for businesses subject to PIPEDA.
Mandatory breach notification
The Digital Privacy Act introduces a breach notification requirement to the federal law. Overall, the requirements are substantially similar to the provincial requirements in Alberta, which have been in effect since 2009. The revised PIPEDA requires organizations to notify both individuals and the Privacy Commissioner of Canada if they have suffered a data security breach that could “create a real risk of significant harm” to individuals. The amendments further require organizations to keep and maintain records of breaches, making them available to the privacy commissioner upon request.
Exemption for business contact information
The Digital Privacy Act introduces an exemption from the requirement to obtain individuals’ consent for the collection, disclosure and use of personal information when the information at issue is business contact information (including an email address). The exemption will only apply, however, where the collection, disclosure or use of the information is solely for the purpose of communicating or facilitating communications with the individual in relation to his or her employment, business or profession. PIPEDA will continue to prohibit organizations from more general disclosure of business contact information (e.g., bulk disclosure for marketing) to third parties without first receiving individuals’ consent.
Exemption for business transactions
The revised PIPEDA will specifically permit the sharing of personal information without individuals’ consent in the context of due diligence for business transactions, such as M&A, a partial sale of assets or transfer upon insolvency, provided certain conditions are met by the parties to the transaction. Organizations engaging in these types of business transactions will need to ensure compliance with the statutory requirements that resemble those found in Alberta’s privacy legislation. For example, under the PIPEDA amendments, only information necessary to the transaction may be communicated pursuant to an undertaking to protect the information with appropriate security measures and to use it solely for purposes related to the transaction. If the transaction does not proceed, the information must be returned. Otherwise, it may only be used after completion of the transaction for the purposes for which it was originally collected and if certain conditions are met, including notice to the individuals concerned.
The updated legislation also gives organizations the ability to disclose personal information to other organizations for the purposes of investigating a breach of an agreement, or a contravention of a Canadian law, or in connection with detecting, preventing or suppressing fraud.
These updates are seen as facilitating the ability of organizations to build robust anti-money laundering and fraud detection and prevention programs not only within Canada, but within an international context for multi-national organizations.
Greater consequences for non-compliance
The PIPEDA amendments make it a criminal offence for an organization to knowingly fail to comply with the notification and record-keeping requirements following a breach of data security.
If found guilty of such an offence, organizations may be liable for fines of up to CAD $100,000. In addition, the amendments give the Privacy Commissioner greater flexibility to disclose information gathered while investigating an organization for breach of the information security safeguards in PIPEDA. The law also authorizes the Privacy Commissioner to enter into and enforce compliance agreements with organizations coming under the privacy commissioner’s jurisdiction.
The bottom line
With these changes to PIPEDA, organizations gain more flexibility when dealing with personal information for certain business and transactional purposes, provided the new conditions related to business contact information and the use of personal information in the course of a business transaction are met. The proposed changes raise the stakes for non-compliance with PIPEDA, but greatly expand the permissible scope and extent of information sharing. In addition, organizations will be reviewing and assessing the scope of their ability to implement national and international data-sharing projects to detect and deter fraud or investigate breaches of the law.