On June 18, 2015, Canada passed into law Bill S-4 - The Digital Privacy Act. Bill S-4 made a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), most of which came into force on June 18, 2015.
PIPEDA and Quebec
In Quebec, the Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 the ("Private Sector Act") applicable to private sector organizations is recognized as being essentially similar to PIPEDA. This means that organizations subject to the Private Sector Act are not subject to the provisions of PIPEDA with respect to the collection, use and disclosure of personal information when these activities are carried out within the province.
These organizations must nevertheless continue to comply with PIPEDA when they engage in interprovincial or international business activities (e.g. customers outside the province, outsourcing of personal information to third parties situated abroad, etc.). Private sector businesses under federal jurisdiction established in Quebec (banks, telecommunications companies, etc.) remain subject to PIPEDA. It is therefore important for many Quebec companies to keep abreast of the recent amendments to the federal legislation.
Mandatory breach notification
Summary of the new rules
PIPEDA will now include a mandatory requirement for organizations to give notice to affected individuals and to the Office of the Privacy Commissioner of Canada (the "Commissioner") about data breaches in certain circumstances. These provisions will be brought into force at a future date after regulations are finalized.
Section 10.1 of PIPEDA will require organizations to notify individuals (unless prohibited by law), and report to the Commissioner, all breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual".
PIPEDA defines "significant harm" as including, among other harms, humiliation, damage to reputation or relationships and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse, and any other prescribed factor.
The notice to individuals and the report to the Commissioner must be given in the prescribed form "as soon as feasible" after it is determined that a breach occurred. The Commissioner may publish information about such notices if the Commissioner determines that it would be in the public interest to do so.
The notice must contain sufficient information to allow the individual to understand the significance to them, and to take steps, if possible, to reduce the risk of harm. The notice must be conspicuous and given directly to the individual, except in certain circumstances where indirect notice (e.g. posting to a website) may be permitted.
Where notice is given to individuals, section 10.2 of PIPEDA will require organizations to notify other organizations (e.g. credit bureaus) and government if such notice could reduce risks or mitigate harm. Consent is not required for such disclosures.
Implications for organizations
Subject to the regulations, the breach notification requirement in PIPEDA is similar to the current common practice under Alberta privacy law (where breach notification requirements have been in place for a number of years). However, since PIPEDA covers far more organizations and activities across Canada, the introduction of breach notification is expected to dramatically increase the number of notices in Canada.
Mandatory breach notification will present new costs, risks and challenges for organizations, large and small. For example, based on the breach notification experience in the United States and Canada, the risk of litigation and class actions in the wake of a data breach may be increased following a notification.
The new rules may also increase the growing interest in Canada in cyber liability insurance (which will often cover liability, defence and other costs associated with responding to data breaches). Organizations and underwriters are sure to take note of the new rules.
Organizations must ensure that they have in place internal safeguards, policies and procedures to adequately detect, escalate and respond to privacy incidents. For example, it is crucial that organizations implement an incident response plan and training for employees regarding the need to escalate and report all suspected breaches. As described below, violations of the breach notification provisions may lead to offences and fines.
Mandatory record-keeping for all breaches
Section 10.3 of PIPEDA (which will be brought into force at a future date) will require organizations, in accordance with prescribed requirements, to keep and maintain, a record of every breach of safeguards involving personal information under their control.
In addition, upon request, organizations must provide the Commissioner with such records. The Commissioner may publish information from such records if it would be in the public interest.
There is no threshold associated with the record keeping obligation--a record of all breaches of security safeguards must be kept, irrespective of whether they give rise to a real risk of significant harm. Nor is there any threshold before an organization would be required to provide its 'breach file' to the Commissioner.
Subject to the regulations, which may specify retention periods and the form and the level of detail to be included in a breach record, the new record-keeping requirement in PIPEDA has the potential to be onerous and to create costs and risks for organizations. One would expect plaintiffs' counsel to request production of the 'breach file' in the course of discovery in a privacy breach litigation matter. Prospective cyber insurers may also seek access to the 'breach file' in the underwriting process when assessing risk, in addition to usual questions about past breaches and incidents.
Heightened consent requirement
Section 6.1 of PIPEDA imposes a crucial new requirement regarding consent. It states that consent is valid only if it is reasonable to expect that the affected individual would understand the "nature, purpose and consequences" of the collection, use or disclosure or personal information to which they are consenting.
This new consent requirement will put the spotlight on what organizations tell individuals about the information they collect, how it is used, and to whom it is disclosed, particularly in respect of children and other vulnerable individuals. The new requirement is in addition to the pre-existing requirement in section 4.3.2 of Schedule I to PIPEDA, which requires organizations to make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used, and to state purposes in such a manner that the individual can reasonably understand how the information will be used or disclosed.
In light of the new requirement, where consent forms or privacy terms are found to be inadequate, or, worse, misleading, organizations may find that the consents they have obtained for large numbers of individuals (e.g. consumers, patients, employees, etc.) are not valid. Such a finding could have severe consequences for organizations which are dependent on the validity of such consents in order to operate their business.
It is imperative that all organizations which rely on consents immediately consider reviewing their consent forms, web privacy statements and other privacy terms in order to determine whether changes should be made to ensure consents are valid. This review should include both customer and employee consents.
Note, however, that the Private Sector Act already provides that consent must be "manifest, free, and enlightened, and must be given for specific purposes" to be considered valid. One might think then that the additional requirements for consent are not likely to have a significant impact on Quebec businesses that already comply with the requirements of the Private Sector Act. However, this amendment is a reminder of the strict requirements to be met to obtain valid consent.
New exceptions to consent
Canada has done away with the "investigative bodies" regime under PIPEDA which permitted certain entities to share information without consent. However, several new consent exceptions have been introduced:
- Investigations and fraud: Sections 7(3)(d.1) and (d.2) of PIPEDA introduce broad new exemptions which permit organizations to disclose personal information without consent to another organization to: (a) investigate a breach of an agreement or a law that has been, or is about to be, committed; or (b) detect or suppress fraud, or to prevent fraud that is likely to be committed. The exemptions apply only where it is reasonable to expect that obtaining consent would compromise the investigation or the ability to prevent, detect or suppress the fraud.
- It is important to note that the above exceptions are permissive only; they do not require an organization to disclose personal information without consent. Indeed, in many cases, there may be little to be gained for the disclosing organization and the disclosure may create privacy risk. In those cases, or where there is doubt about whether the exemption applies, it will often be preferable to require consent or a court order prior to making the disclosure. However, where the exemptions do apply, they will help organizations' efforts to combat fraud and breaches of agreements and laws;
- Managing employees: PIPEDA applies to personal information about employees of federal works, undertakings and businesses (e.g. banks, railways, etc.). Pursuant to section 7.3 and 7.4 of PIPEDA, notice, not consent, is needed where employee personal information is collected, used or disclosed for the purpose of establishing, maintaining or terminating the employment relationship. This change brings PIPEDA in line with the private sector privacy laws in British Columbia and Alberta and should permit more flexibility in respect of employee personal information in the workplace; and
- Work product information: Section 7 of PIPEDA permits the collection, use and disclosure of personal information without consent where it was produced in the course of the individual's work or business and the collection or use is consistent with the purposes for which it was produced. This exemption should remove some barriers regarding employees' work product information where consent may not have been obtained. However, in many cases, organizations will likely wish to assert that employees' work product is not "personal information" and thus not subject to PIPEDA.
Business transactions exemption
It is often necessary for organizations to collect, use and disclose personal information, including employee personal information, in relation to due diligence and closing a business transaction. PIPEDA will now permit these activities without consent, provided that:
- The organizations have entered into an agreement that requires the recipient to: (a) use the information for the sole purpose of the transaction; (b) protect the information; (c) if the transaction does not proceed, return or destroy the information;
- The personal information is necessary to determine whether to proceed with the transaction; and, if a decision is made to proceed, to complete the transaction; and
- For completed transactions, the organizations must enter into an agreement that requires them to: (a) use and disclose the information for the sole purposes for which it was collected, used or disclosed prior to the transaction; (b) protect the information; and (c) give effect to any withdrawal of consent. In addition, the information must be necessary for carrying on the activity that was the object of the transaction and one of the parties must notify individuals within a reasonable time of the transaction and disclosure.
The above exemption does not apply if the transaction is for the primary purpose of, or results in, the purchase, sale or other acquisition, disposition or lease, of personal information. The exemption codifies common practice and is modeled on similar provisions in British Columbia and Alberta privacy law.
Enforcement and penalties
Knowing violations of the breach notification requirements or the breach record keeping requirements (e.g. covering up a breach, failing to notify or failing to keep records) can result in: (a) an offence punishable on summary conviction and a $10,000 fine; or (b) an indictable offence and a fine not exceeding $100,000. It is not clear how these provisions will be interpreted - e.g. whether a fine could be levied in respect of each individual affected by a breach.
Section 17.1 introduces in PIPEDA the concept of a "compliance agreement", which is an agreement between an organization and the Commissioner (enforceable in court) aimed at ensuring compliance with PIPEDA. This is a limited form of "safe harbour" for organizations which have committed, or are likely to commit, a breach of PIPEDA.
When a compliance agreement is entered into, the Commissioner is prohibited from applying to Federal Court in respect of any matter covered in the agreement. However, compliance agreements are not a complete safe harbour; they will not prevent the prosecution of an offence or an individual complainant from applying to Federal Court.
In light of the fact that individual complainants, not the Commissioner, have typically pursued PIPEDA matters in the Federal Court, organizations will need to consider carefully whether it is in their interest to enter into a compliance agreement. For example, a compliance agreement may be construed as an admission of a breach of PIPEDA. On the other hand, although a compliance agreement will not stop an individual complainant, the fact that an organization has entered into a compliance agreement may reduce a complainant's interest in pursuing the matter, and be a factor favouring the organization in the court's assessment of the organization's response to an incident. Courts have repeatedly emphasized that an appropriate response to privacy incidents can mitigate the likelihood and quantum of damages for breaches.
Section 20 of PIPEDA provides that the Commissioner and the Commissioner's representatives must keep confidential all information (including breach notifications and breach records) that comes to their knowledge in the course of performing their duties and powers under PIPEDA. However, organizations need to be aware that the Commissioner may publish any such information if the Commissioner determines that it would be in the public interest to do so. Disclosure may also be made to the government in certain circumstances related to breaches of agreements and contravention of laws.
PIPEDA does not apply to any "business contact information" (e.g. name, title, work contact information) collected, used or disclosed solely for the purpose of communicating with the individual in relation to their employment, business or profession (s. 2(1)).
PIPEDA now applies to employee personal information of authorized foreign bank branches (s. 2(1)(g)).
In addition to the consent exemptions described above, consent is no longer required when:
- Financial abuse: disclosing personal information to the government, or to next of kin or an authorized representative, where there are reasonable grounds to believe that an individual has been, is, or may be the victim of financial abuse. The exemption applies where the disclosure is for purposes related to preventing or investigating the abuse, and it is reasonable to expect that obtaining consent would compromise the ability to prevent or investigate the abuse;
- Witness statements: collecting, using and disclosing personal information contained in witness statements, where it is necessary to assess, process or settle an insurance claim;
- Communications with next of kin: disclosing personal information to the government upon request for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual, where the government has identified its lawful authority; and
- Identifying injured or deceased individuals: disclosing information to the government or next of kin or authorized representative which is necessary to identify an individual who is injured, ill or deceased (and if the individual is alive the organization must inform the individual in writing without delay of the disclosure).
Organizations need not provide access to information which is protected by, in civil law, by the professional secrecy of lawyers and notaries (s. 9(3)(a)).
With the passage of the Digital Privacy Act, and in particular the pending breach notification and record keeping provisions, Canada has ushered in a new era of privacy law. Organizations subject to Canadian privacy law would be well-advised to take steps now to ensure they are, and will remain, compliant with the new rules.
The changes to the federal legislation raise jurisdictional questions, however, concerning the interaction between PIPEDA and the Private Sector Act.
Take the example of a Quebec company that suffers a security breach that involves personal information and that creates a "real risk of significant harm" to individuals situated mostly in Quebec, but also elsewhere in Canada. At present, there is no obligation in the Private Sector Act act to notify the individuals affected by such a breach. If such a security breach occurs in Quebec, are we to understand that the organization would be required to notify the persons situated outside Quebec in order to comply with PIPEDA, but not necessarily those situated in Quebec, despite the fact that most of the individuals affected by the security breach are situated there? And if a foreign company doing business in Canada were to suffer a security breach, could it validly believe that it would not have to notify the affected persons, nor the Privacy Commissioner, if the only individuals for whom there is a real risk of significant harm are situated in Quebec?
Similarly, consider a Quebec company which in the course of its business transfers personal information to a co-contracting party situated in the United States. In the event of a security breach involving personal information held by the U.S. company, would the company doing business in Quebec have to notify all the individuals situated in Canada, even those situated in Quebec, since the security breach occurred when personal information was transferred across the border?
PIPEDA also introduces many exceptions concerning the consent requirement which are not found in the Private Sector Act. This is the case with parties that want to do due diligence before deciding if they will enter into a business transaction. The application of these exceptions raises the same jurisdictional questions. For example, could a Quebec company with an establishment in Ontario validly avail itself of this new provision by choosing to do its due diligence in one of its Ontario establishments? Conversely, could a company situated in Ontario avail itself of this new provision regardless of the fact that the due diligence involves the disclosure of personal information on persons situated in Quebec who did not give their consent to such disclosure?
These questions appear to us to be especially important, given the sanctions to which companies liable when they knowingly contravene the notification obligation and the obligation to keep an updated record of security breaches. In light of the possible consequences for organizations, the new provisions of the federal legislation could give rise to disputes before the courts, which will ultimately clarify the questions raised above.
The government of Quebec announced in the spring that the stakeholders concerned will be consulted on the Private Sector Act with a view to possible amendments. Quebec's Private Sector Act came into force a decade before PIPEDA. Now the reform of PIPEDA is preceding the modernization of the Private Sector Act. It will be interesting to see if and to what extent the solutions adopted at the federal level inspire Quebec's lawmakers.