Bill S-4, the Digital Privacy Act (the Act), was recently passed by the Senate and has received first reading in the House of Commons. If passed by the House of Commons, this new legislation will have significant impacts on the treatment of information by organizations that are subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) either because they are federally regulated and fall under the legislative authority of the Parliament of Canada, or the organization operates within a province that does not have in place legislation that has been determined to be substantially similar to PIPEDA.
The Act is the government’s third attempt to reform PIPEDA. With the government’s previous efforts under Bills C-29 (2010) and C-12 (2011) both dying on the order paper, introducing the bill in the Senate may have been a way to ensure the bill completes the legislative process.
Exemptions for businesses
Many changes to PIPEDA proposed in Bill S-4 are similar to those that were previously tabled. Three recurring proposals are particularly noteworthy for businesses subject to PIPEDA.
First, the Act introduces an exemption from PIPEDA’s consent requirements for collection, disclosure and use of personal information when the information at issue is business contact information (including an email address). The exemption will only apply, however, where the collection, disclosure or use of the information is done solely for the purpose of communicating or facilitating communication with the individual in relation to his or her employment, business or profession. The Act would still prohibit organizations governed by the legislation from more general disclosure of business contact information to third parties without first receiving consent.
Second, the Act clears up the confusion concerning sharing personal information in the context of a business transaction by permitting organizations to collect, use and disclose personal information during business transactions, without consent, provided certain conditions are met by the parties to the transaction. Organizations engaging in the kinds of business transactions covered by the proposed changes will need to ensure compliance with these conditions to avoid running afoul of their more general obligations under the Act – making clear the need for carefully structured non-disclosure agreements as part of the due diligence process.
Some of the more controversial amendments proposed to PIPEDA include the ability of organizations to disclose personal information to other organizations if the disclosure is for the purposes of investigating a breach of an agreement or a contravention of a Canadian law or the disclosure is for the purposes of detecting, preventing or suppressing fraud.
These new provisions have been both criticized and applauded. The bill has been sharply criticized for opening the door to a wide expanse of warrantless searches and secret information sharing, creating the possibility of increased litigation against private citizens for alleged copyright infringement, and allowing Internet service providers to share personal information with any entity investigating a breach of contract or illegal activity. However, the legislation is also applauded for facilitating the ability of organizations to build robust anti-money laundering and fraud detection/prevention programs not only within Canada, but within an international context for multi-national organizations. Critics of the amendments point to the fact that the proposed amendments may do more to expand the sharing of personal information than to protect personal information from disclosure.
Finally, the Act will make it mandatory for businesses to notify both individual customers and the privacy commissioner of Canada if they have suffered a data security breach that could “create a real risk of significant harm” to individuals. The amendments further require organizations to keep and maintain records of any such breaches, making them available to the privacy commissioner upon request.
Greater consequences for non-compliance
Careful compliance with the Act will be particularly important going forward in light of some changes being proposed in the Act that were not contemplated in earlier iterations tabled by the government. Most notably, the amendments create a criminal offence for an organization to knowingly fail to comply with the notification and record-keeping requirements following a breach of data security as discussed above.
If found guilty of such an offence, organizations may be liable for fines of up to $100,000. In addition, the amendments would give the privacy commissioner greater flexibility to disclose information gathered while investigating an organization for breach of the information security safeguards in PIPEDA and give the privacy commissioner additional powers to enter into and enforce compliance agreements with organizations coming under the privacy commissioner’s jurisdiction.
The bottom line
Ultimately, if the changes to PIPEDA proposed by Digital Privacy Act become law, organizations will gain more flexibility when dealing with personal information for certain business and transactional purposes, provided the new conditions related to business contact information and the use of personal information in the course of a business transaction are met. The proposed changes raise the stakes for non-compliance with PIPEDA but greatly expand the permissible scope and extent of information sharing. Organizations governed by PIPEDA must now assess whether their systems for the collection, disclosure and use of personal information need to be amended to ensure compliance if/once the Act becomes law. In addition, all organizations will be reviewing and assessing the scope of their ability to implement national/international data-sharing projects to detect and deter fraud or investigate breaches of the law.