On April 8, 2014, Canada’s government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 is the federal government’s latest attempt to reform the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). It would be a mistake to say that it is largely recycled from the government’s last attempt to reform PIPEDA in 2011 through Bill C-12, which died on the order paper. Here’s what’s different, what’s been dropped, and what seems to be largely the same. Caveat: This is a first read!
- Fines for Failure to Record and Report Breaches. First the big news: The government is proposing that it would be a criminal offence for an organization to knowingly fails to keep prescribed records for breaches (see below) or to knowingly fail to report breaches in compliance with PIPEDA (also below). These offences would be punishable by fines of CAD$100,000 (indictable offence) and CAD $10,000 (summary conviction). To facilitate this provision, the Commissioner may disclose breach records and reports to law enforcement or the Public Prosecution Service of Canada for investigation and prosecution.
- Records of Breaches. Organizations must keep and maintain records of any breaches of security safeguards and provide those records to the Commissioner on request.
- Altered the Test for Breach Reporting. The test for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada in Bill C-12 involved an analysis of whether the breach was “material” having regard to a non-exhaustive list of factors. The government has changed its approach and adopted a test that appears to be based on the test in Alberta — that is, an organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. The listed factors for what constitutes a real risk of significant harm (sensitivity of the personal information and probability of misuse) are the same as for a “material breach” under C-12, but the factors also include the possibility of additional prescribed criteria.
- Confidentiality of Breach Reports and Records. Unlike Alberta, the Commissioner to make a disclosure of breach reports and records for prosecution, these reports will remain confidential. In Alberta, the Commissioner must make a breach notification order. If the order requires individual notification, it is always public.
- Compliance Agreements. The government is granting the Commissioner additional powers to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfil the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement. This resolves an enforcement conundrum that the Commissioner previously because of limitation periods on seeking court orders following the conclusion of an investigation. This provision will significantly enhance the jurisdiction of the Commissioner provided that organizations determine that it is better to enter into agreements than to start to litigated. It is important to note that compliance agreement does not provide immunity to the organization from an action by an individual for compensation or from prosecution for an offence.
- Broadening Regulatory Powers. The government has modernized and broadened the regulatory powers of the Executive Branch. This may result in more flexibility to pass clarifying regulations as issues arise under PIPEDA.
- Gag Order Provisions. It appears that the government has dropped the provisions in Bill C-12 that restricted the ability of organizations to be transparent with individuals when they provided information to law enforcement and other government institutions (even absent a court order).
- Lawful Authority Clarification. The government also appears to have dropped the provisions clarifying that an organization need not inquire into the lawful authority of law enforcement seeking information without a warrant or production order and has also dropped the provisions clarifying the meaning of lawful authority. No doubt the government feels the pending proposed amendments to theCriminal Code granting organizations immunity from voluntarily collecting and disclosing information is sufficient to overcome any lingering doubts of organizations regarding the parameters for responding to pre-warrant requests for information.
What’s largely recycled?
- Conditions for Valid Consent. The requirement for informed consent has been reintroduced.
- Work Product Information Exceptions. Exceptions for the collection, use and disclosure of work product information have been reintroduced.
- Disclosure of Information in a Business Transaction. The provisions in Bill C-12 enacted to facilitate the sharing of personal information in the course of the due diligence process and the completion of business transactions for the purchase and sale of a business have been largely recycled.
- Business Contact Information. As with Bill C-12, the government has introduced an exemption from the requirement for consent for the collection, use and disclosure of business contact information when used solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. However, the government has tweaked the definition of business contact information. Business contact information is now “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment”, including the usual data elements such as name or title, work address, work telephone number, work fax number or work email address. Previously, the definition began with this list of data elements and ended with a “basket clause”.
- Financial Abuse Exceptions. Regrettably, the ham-fisted exception for disclosure without consent to deal with the plague of financial abuse (particularly of the elderly) have been reintroduced. The provisions permit disclosure to a government institution (which is not controversial) and also to next of kin or an authorized representative (neither of which is defined) irrespective of the competency of the individual. The government appears to have been deaf to the decades of provincial experience with substitute consent.
Now, the only question is whether the government will fare better getting this Bill passed than it has previously.