Introduction

The Canadian Parliament introduced a Bill on May 25, 2010 (Bill C-29) to amend the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA was originally enacted to set out the requirements for the collection, disclosure and use of personal information by federal works and undertakings, and by commercial entities in connection with cross-border activities. The Act was subsequently extended to private sector organizations with respect to commercial activities that occur within any province, except where a province has enacted similar legislation. To date, three provinces (Quebec, Alberta and British Columbia) have enacted similar legislation, and accordingly PIPEDA does not apply to commercial activities within those provinces.

Removal of Requirement for Consent

The proposed amendments are intended to overcome some obstacles to business transactions by removing the requirement for individuals’ consent to certain activities. Specifically, organizations will be permitted to disclose personnel information without the consent of affected individuals in the following circumstances:

  1. a business organization may disclose the personal information that it has collected to a prospective buyer if the parties have entered into a non-disclosure agreement, and the information is necessary to proceed with the transaction; personal information may also be disclosed after the transaction is completed, if disclosure of the information is required to give effect to the transaction, if a further agreement is made requiring the buyer to use the information solely for the purposes for which it was collected, and appropriate security safeguards are put in place. Affected individuals must also be notified following completion of the sale;
  2. federally regulated businesses may collect, use and disclose personal information for purposes of establishing, maintaining or terminating an employment relationship with affected individuals;
  3. an organization may disclose personal information to another organization for purposes necessary to investigate a breach of an agreement or a contravention of a law;
  4. an organization may disclose personal information in the case of an alleged fraud where the consent of the individual to the disclosure would undermine the ability to prevent or detect the fraud;
  5. an organization may disclose personal information to a government institution or next-of-kin where there are reasonable grounds to believe that the individual has been the victim of financial abuse, and disclosure of the information is necessary to prevent a continuation of the abuse; and
  6. an organization may disclose personal information to a government institution in response to a request made for law enforcement purposes, provided that the institution identifies the basis for its authority; however, the organization need not verify the validity of that authority such as by confirming that a warrant, subpoena or court order is in place.

Provisions for Data Breach Reporting and Notification

The proposed amendments would impose two separate obligations on an organization upon the occurrence of certain security breaches affecting personal information. These obligations are to report the breach to the federal Privacy Commissioner and to notify the affected individuals. However, the two obligations arise in different circumstances. An organization’s obligation to make a report to the Privacy Commissioner arises upon a “material breach of security safeguards involving personal information under its control”. The determination of whether a breach is “material” must be made based on factors such as the sensitivity of the information, the number of individuals affected and whether the breach reflects an underlying systemic problem.

An organization’s obligation to notify affected individuals arises “if it is reasonable in the circumstances to believe that [a data] breach creates a real risk of significant harm to the individual”. Examples of significant harm are bodily injury, reputational harm, financial loss, identify theft and loss of property. Whether a breach creates a “real risk” of such harm must be determined based on the sensitivity of the information and the probability of its misuse.

The notice provided to affected individuals must be sufficient “to allow the individual to understand the harm and to reduce the risk of harm”. Any notification must be given “in the prescribed form and manner” as soon as feasible after the organization confirms that the breach has occurred and that it is required to provide notification.

Conclusions

Under the proposed amendments, an organization may be required to notify affected individuals upon a data breach even if the breach does not result in the organization being required to report the breach to the Privacy Commissioner. For example, where a data breach affects a single individual who may be exposed to “significant harm”, the organization may be required to notify that individual. However, the fact that only one individual is affected may mean that the breach would not be “material” for purposes of requiring the organization to make a report to the Privacy Commissioner.