On Tuesday April 8, 2014 the Federal Government introduced important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill S-4, the “Digital Privacy Act” was introduced by the Leader of the Government in the Senate. The Bill is a part of “Digital Canada 150”, a multi-pronged plan of the Government intended to permit and encourage Canadians and Canadian businesses to benefit from opportunities created by the digital economy. The Government indicates that the Digital Privacy Act will ensure that Canadians are safer and more secure when they surf the web or shop online. In the view of the Government, the proposed amendments to PIPEDA will better protect consumers; simplify rules for businesses; and increase compliance with PIPEDA.
The following summarizes briefly key provisions of the Bill:
Mandatory Breach Notification
- The creation of a legislative duty to notify of certain breaches of security safeguards.
- The obligation to notify arises where there has been unauthorized access to or disclosure of personal information resulting from such a breach.
- Notice must be given to both the Privacy Commissioner of Canada (OPC) and the individuals affected, providing it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm.
- There are factors provided to assess whether there is a real risk of significant harm.
- There are requirements for the content of the notice as well as timing of the notice.
- There may also be an obligation to report to other organizations or government institutions if they may be able to reduce the risk that could result to the affected individuals.
New Record Keeping Requirements
- An organization must retain a record of every breach of security safeguard whether or not they are obligated to report, and provide the record to the OPC on request.
- Exemptions from the requirement to obtain consent for: the disclosure of personal information in the context of business transactions, including mergers and acquisitions; the collection, use and disclosure of work product; and the collection, use and disclosure of information in witness statements when necessary to assess, process or settle an insurance claim.
- Higher threshold for valid consent - requirement that the person understand the consequences of the collection, use or disclosure of their personal information.
Additional Power for OPC
- OPC has been given additional authority to enter into a “compliance agreement” with an organization which she can apply to the Court to enforce.
- It will be an offence to fail to notify the OPC and the affected individuals regarding breaches of security and to fail to maintain a record of every breach (whether or not notice is required).
- The penalties include fines of up to $100,000.