There were several important privacy developments in 2015 that may potentially impact organizations doing business in Canada in the year ahead and beyond.
ONE | ONLINE BEHAVIOUR ADVERTISING AND CONSENT
In April, the Office of the Privacy Commissioner of Canada (OPC) released its investigation report regarding Bell’s Relevant Ads Program (RAP). The RAP involved the creation of Bell Mobility customer profiles based on demographic and account information combined with network usage information, such as specific websites visited and apps used. Bell was to use the profiles to serve third-party ads, charging fees to the advertisers.
The OPC determined that Bell’s use of an opt-out form of consent for the RAP was not appropriate given the sensitivity of the information (including sensitive website URLs) and the reasonable expectations of Bell’s customers. According to the OPC, Bell customers paid a significant amount for their mobile services and would not reasonably have expected Bell to use information for further financial benefit without their express consent. The report also specified that, in the absence of customer consent, Bell could not create customer profiles and that it would not be sufficient to simply stop using the profile for targeted advertising. The report is largely consistent with previous OPC findings and guidelines relating to online behaviour advertising and appropriate forms of consent, but it will nonetheless have a significant impact on businesses engaged in tracking, profiling and targeting of customers, including in the rapidly expanding area of the “Internet of Things.”
TWO | DIGITAL PRIVACY ACT
In June, the Digital Privacy Act received Royal Assent. The act makes a number of amendments to Canada’s federal private-sector privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA).Perhaps the most significant amendments that may affect businesses are those that create a scheme for mandatory breach reporting. Although these particular amendments are not yet in force, once they become effective, they will require organizations to notify the OPC of a data breach that poses a “real risk of significant harm” to affected individuals.
Organizations will also be required to notify government institutions and other organizations in certain circumstances, including when those entities may be able to reduce or mitigate the risk of harm to the affected individuals. Further, organizations will be required to keep records of all data breaches, even those that do not meet the harm threshold. Knowingly failing to report or record a data breach is an offence punishable by a fine of up to C$100,000.
Although these provisions are not expected to come into force until late 2016, organizations are well advised to start thinking about the policies and procedures that will need to be implemented to comply with these reporting and record-keeping requirements.
THREE | PROTECTION OF PERSONAL DATA
In October, the Court of Justice of the European Union (CJEU) released its decision in Schrems v. Data Protection Commissioner. In that case, the CJEU invalidated the European Commissioner’s decision that allowed the transfer of personal data from the EU to an organization in the United States, which had undertaken to comply with EU-U.S. safe-harbour principles. Although not directly applicable to organizations in Canada, the decision may, nonetheless, impact Canadian businesses with multinational operations. It also opens the door to a similar challenge relating to the European Commissioner’s decision that PIPEDA adequately protects EU personal data, the mechanism by which most transfers of personal data between the EU and Canada are sanctioned by EU data protection laws.