On April 8, 2014, the federal government introduced Bill S-4 in the Senate. Bill S-4, titled the Digital Privacy Act, marks the government’s third attempt since 2010 to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Bill S-4 reintroduces several elements from two previous bills while debuting significant new content, including a new offence for failure to report privacy breaches and increased enforcement powers for the Federal Privacy Commissioner (Commissioner). The salient features of the bill, as well as their potential impact on business, are discussed below.
Like its predecessors, Bill S-4 introduces a mandatory data breach notification requirement. However, Bill S-4 reformulates the test for determining whether a particular data breach is reportable: while previous bills required an analysis of whether a breach was “material,” Bill S-4 shifts the question to whether the breach poses a “real risk of significant harm” to an individual. This standard for reportable breaches is similar to that under Alberta’s Personal Information Protection Act (Alberta PIPA).
Unlike the Alberta PIPA, however, Bill S-4 provides both a definition for “significant harm” and a non-exhaustive list of factors to consider in determining the existence of a “real risk.” This additional guidance, as well as the body of decisions generated to date under the Alberta PIPA, may assist PIPEDA-regulated organizations in assessing whether any given data breach is reportable. Organizations should note, however, that under the proposed amendments, all data breaches must be recorded and reported to the Commissioner upon request.
Bill S-4 also differs from the Alberta PIPA by requiring organizations to notify both the Commissioner and any affected individuals of any reportable data breach. Under the Alberta PIPA, organizations are first required to notify the Alberta Information and Privacy Commissioner, who may then order the organization to notify affected individuals (although organizations may notify affected individuals on their own initiative).
Bill S-4 adds teeth to its breach reporting and recording requirements. Under the proposed amendments, an organization that knowingly fails to report or record a breach as required by PIPEDA (as amended) is guilty of an offence punishable by fines of up to C$100,000.
The proposed amendments under Bill S-4 reintroduce a number of business-friendly features found in previous bills.
For instance, the bill contains a “business transaction” provision that will allow organizations to use and disclose personal information without consent in connection with mergers, acquisitions, financings, etc. (both during due diligence and post-closing), provided certain conditions are met.
Bill S-4 also amends the definition of personal information to remove the exclusion for business contact information but then exempts the collection, use and disclosure of business contact information from consent requirements under PIPEDA, if such information is collected, used and disclosed solely for the purpose of communicating or facilitating communication with an individual about his/her employment, business or profession. Importantly, “business contact information” is given a broad definition under the bill and will include business email addresses, which are not currently excluded from the definition of personal information under PIPEDA. Notwithstanding this exemption, organizations should be aware that any communication made through email must comply with requirements under Canada’s new anti-spam legislation (see December 2013 Blakes Bulletin on Anti-Spam Legislation – The Waiting Game Is Over).
An innovative feature of Bill S-4 is a new power of the Commissioner to enter into a “compliance agreement” with an organization if the Commissioner believes, on reasonable grounds, that the organization has committed, is about to commit or is likely to commit a breach of PIPEDA. Execution of such an agreement, which may contain any terms that the Commissioner considers necessary to ensure compliance under PIPEDA, forestalls the Commissioner’s ability to apply to the Federal Court for a hearing. However, a compliance agreement would not insulate an organization against applications brought by individuals or against prosecution for an offence under PIPEDA.
Failure by an organization to abide by the terms of a compliance agreement allows the Commissioner to apply to the Federal Court for certain remedies, including an order requiring compliance, or a hearing. This new feature would enhance the Commissioner’s enforcement powers, although it falls short of the order-making power urged by some stakeholders.
Bill S-4 contains a number of other notable features, such as an extension of the timeline for an individual to apply for a court hearing and the codification of the necessary elements for valid consent. The bill also includes several new exceptions to the consent requirement, including controversial provisions that would allow organizations to disclose personal information to other organizations without consent if such disclosure were reasonable for the purposes of investigating a breach of an agreement or contravention of the laws of Canada or a province, or for the purposes of detecting, suppressing or preventing fraud, provided that in either case it is reasonable to expect that disclosure with consent would compromise the investigation or ability to detect, suppress or prevent the fraud (as applicable).
While Bill S-4 has only received first reading, there may be greater appetite to see this bill pass given the preponderance of data breaches in recent months, including most recently, the identification of the Heartbleed bug, which exposed passwords on approximately half a million secure websites to theft. If Bill S-4 passes, it will significantly impact the privacy landscape in Canada.