With the Digital Privacy Act receiving Royal Assent June 18, 2015, Canada has taken a step in the right direction when it comes to further protecting personal information. The Digital Privacy Act has been received with great fanfare by those looking for greater regulation over data breach notification, and sanctions for the harm caused by those breaches. Unfortunately, the notification and sanction provisions of this Act are not yet in force.
The Digital Privacy Act is a series of amendments to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA applies to any work, undertaking or business that is under the legislative authority of Parliament, as well as some businesses that fall under provincial regulation. If you are not sure whether it applies to you, check here.
For the most part, the provisions that came into force this week provide some clarity to regulated organizations on how and when they may collect, use and disclose personal information without the consent of the individual. These provisions are relatively benign and condone appropriate business transactions and activities without compromising personal information protection.
One provision that does stand out is the new section 6.1 of PIPEDA, which provides an objective standard for establishing valid consent for the collection or use of personal information:
…the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
Commentators will quickly pick up on the challenges of gaining consent from children and the elderly, but the problem may be much more fundamental. The average consumer will likely be able to figure out the nature and purpose of the collection, use and disclosure of their personal information, but have no idea what consequences may flow. Getting valid consent under PIPEDA requires more than scroll and click – just how much more depends on what “reasonable to expect” will be interpreted to mean.
Overall, the amendments that are now in force are relatively uncontentious and, over time, will provide a measure of predictability in how our information is collected and used.
These benign provisions are really the calm before the storm. If and when the balance of the Digital Privacy Act comes into force, those organizations that are not prepared will face even greater liability for failing to ensure that the personal information they collect is not properly protected from a breach. Specifically, PIPEDA will then:
- require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
- require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control; and,
- create offences in relation to the contravention of certain obligations respecting breaches of security safeguards.
These provisions set the tone for the next generation of information protection, but do not provide us with all of the details. Questions about the nature and extent of breach notices, the form of the notice and the type of report required by the Privacy Commissioner will follow in Regulations. The details will no doubt create a new stir when promulgated.
For now, many organizations are still struggling to maintain current and adequate security controls. Further, the complexity and frequency of cyber-attacks is such that some breaches are detected well after the fact, when the scope and scale is difficult to determine. Add to the challenge the fact that managing information, including personal information, is one of the greatest challenges facing many organizations, and we have a perfect storm on the horizon.
When it comes to personal information breaches, few dispute that greater transparency and accountability is a good thing. By making all breaches reportable, the business case for proactive security, appropriate information governance and personal information protection will become even stronger. It will be interesting to see whether the fair warning provided by the pending provisions will drive organizations to prepare for that storm now. With the fair warning provided by the Digital Privacy Act, don’t expect much sympathy from the Privacy Commissioner if you aren’t ready when the storm hits.