A Bill, short-titled the "Digital Privacy Act", was introduced in the Senate on April 8, 2014. It amends various sections of the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the collection, use, and disclosure of personal information by private sector organizations for commercial purposes.
PIPEDA provides that in certain enumerated circumstances, private companies are permitted to disclose personal information without consent. Section 7(3) currently allows non-consented-to disclosure in some limited circumstances, including where the disclosure is required to comply with a court order (subsection 7(3)(c)), and where the disclosurfe is made to an investigative body or to the government under the reasonable belief that the information relates to a breach of an agreement or a contravention of the laws of Canada (subsection 7(3)(d)).
An amendment to subsection 7(3) in the Digital Privacy Act expands the scope of the permitted exceptions, by allowing private sector organizations to disclose personal information to each other without consent if the disclosure is “reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada” (proposed section 7(3)(d.1)). The proposed section further stipulates that the disclosing organization must reasonably expect that seeking consent to the disclosure would compromise the investigation.
This proposed new exception is interesting given the recent Federal Court decision in Voltage Picture LLC v. John Doe and Jane Doe, 2014 FC 161. In Voltage, a film production company, Voltage, brought a copyright infringement action in Federal Court against internet customers who allegedly copied and distributed Voltage's films without authorization. Voltage did not have contact information for any of the customers (the "Does"), and sought that information from a third-party Internet Service Provider, TekSavvy. TekSavvy refused to disclose the information forcing Voltage to motion the Federal Court for a Norwich Order—a litigation tool compelling a third-party to disclose certain information that only the third-party possesses.
In granting the order, Prothonotary Aalto stressed the need to balance Voltage's rights to enforce their copyright and the privacy rights of the TekSavvy customer:
“…The enforcement of Voltage’s rights as a copyright holder outweighs the privacy interests of the affected internet users. However, that is not the end of the matter. As part of making any Norwich Order, the Court must ensure that privacy rights are invaded in the most minimal way possible…”
After reviewing decisions from U.K. and U.S. courts in similar cases, Prothonotary Aalto ordered TekSavvy to disclose personal information but limited it to names and mailing addresses of identified customers and imposed a number of conditions on Voltage’s use of that information to protect against Voltage acting as a "copyright troll" by intimidating customers into settlements through demand letters and litigation threats. One of the conditions required Voltage to first submit any demand letters it plans to send to those customer to the Court for approval.
If it comes into force, the proposed new exception to PIPEDA may have allowed TekSavvy to disclose the information sought by Voltage without judicial intervention and oversight. Further, the proposed exception may have allowed TekSavvy to share more than just the names and addresses of customers. Section 7(3)(d.1) may be a potential benefit to copyright and other intellectual property owners by obviating the need to seek a court order to obtain otherwise protected personal information from a third-party where the prescribed conditions exist.