The Government of Canada has amended the Personal Information Protection and Electronic Documents Act ("PIPEDA"), which generally governs the collection, use, and disclosure of personal information by private sector organizations in all Canadian provinces except for Alberta, British Columbia and Québec. Some of the amendments came into force immediately as of June 18, 2015, while others will not come into force until a later date yet to be fixed. This brief commentary addresses five key changes to PIPEDA and the effects they may have on businesses.
1. Clearer rules regarding sharing personal information in the context of business transactions
Organizations are now expressly permitted to use and disclose individuals' personal information without their knowledge or consent where the personal information is necessary to determine whether to proceed with or complete a business transaction, and certain measures are taken to protect the information. If the transaction is not completed, all personal information must be returned or destroyed by the recipient within a reasonable amount of time. If the transaction is completed, then the recipient may continue to use and disclose the received personal information without the individuals' knowledge and consent as long as certain security measures are taken, the personal information is necessary for carrying on the activity that was the object of the transaction, and the individuals are notified of the completion of the transaction and the disclosure of their personal information within a reasonable amount of time afterwards. Notably, this exception to the general consent requirement does not apply where the purpose of the transaction is to buy, sell, or lease personal information.
This exception mitigates some of the privacy compliance obligations previously associated with business transactions. However, an important question to consider when determining whether personal information can be shared as part of a business transaction is whether any such disclosure is necessary as required by the new provision.
2. Notice but not consent required for necessary uses of employee information
Federal works, undertakings, or businesses ("FWUBs"), such as banks, airlines and telecommunications companies, may now collect, use, and disclose the personal information of an individual without his or her consent where it is necessary to establish, maintain, or terminate an employment relationship between that individual and the FWUB, and the FWUB has informed the individual of the purpose of the collection, use, and disclosure. These new provisions are similar to existing provisions in Alberta and British Columbia's privacy legislation, and, while their application is limited to FWUBs, they give such employers a wider scope in which to collect, use, and disclose the personal information of current and potential employees without the need for express consent.
3. Data breach notification requirements eventually to apply under PIPEDA
PIPEDA has been amended to include data breach notification requirements, but the amendments will only come into force on an unspecified day. Once the amended provisions come into force, then organizations affected by a data breach will be required to make prescribed disclosures to the Office of the Privacy Commissioner of Canada ("OPC") and affected individuals where there is a reasonable expectation that the data breach could create a risk of significant harm. Knowingly failing to report a data breach may result in fines of up to C$100,000. The OPC will also have the power to publicize data breaches. These potential consequences strengthen the need for organizations to implement safeguards that protect against data breaches occurring in the first place.
4. Organizations permitted to share personal information in the context of investigations
Organizations may now disclose personal information to another organization without the knowledge or consent of an individual where it is reasonable for the purposes of investigating a breach or possible breach of an agreement or Canadian law, and it is reasonable to expect that obtaining the individual's consent would compromise the investigation. Similar exceptions also apply to investigations involving the detection, suppression or prevention of fraud or where a person is suspected of being a victim of financial abuse.
While this amendment expands the types of circumstances in which organizations are now permitted to share personal information without consent, organizations should remember that PIPEDA requires any use or disclosure of personal information to be reasonable and for proper safeguards to be implemented whenever personal information is transferred from one party to another.
5. OPC's enforcement actions now include compliance agreements
The OPC now has the authority to enter into binding compliance agreements with organizations where it believes on reasonable grounds that an organization has, will, or is likely to commit an act or omission that would contravene PIPEDA. Compliance agreements are voluntary on the part of the organizations and may contain any terms that the OPC considers necessary to ensure compliance with the OPC.
It is important to note that a compliance agreement cannot prevent private claims by individuals or the consequences that flow from such claims. In addition, if the OPC believes that the agreement is not being complied with, then it can take steps to require compliance or reinstate or bring court proceedings against the organization. Compliance agreements may impose significant monetary and non-monetary obligations on an organization before any violations have been proven. Organizations may agree to enter into compliance agreements in an attempt to clear their name and demonstrate a commitment to the protection of privacy, but doing so may come with a cost.