Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (short title: Digital Privacy Act) was introduced in the Senate on April 8, 2014 and was passed with one amendment after the third reading on June 16, 2014. The bill passed the first reading in the House of Commons and was referred to the Standing Committee on Industry, Science and Technology on October 20, 2014. The Committee report was adopted and presented to the House of Commons on April 22, 2015. (See Status of the Bill).
Bill S-4 amends PIPEDA in several ways, including by:
- permitting the disclosure of an individual’s personal information without their knowledge or consent in certain circumstances, including Clause 6(10) which allows disclosure without consent to another organization – for example, from one business to another – in order to investigate a breach of an agreement or a contravention (or anticipated contravention) of a federal or provincial law where it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the investigation;
- requiring organizations to take various measures in cases of data security breaches: Clause 10 creates a new Division 1.1 of PIPEDA, addressing “breaches of security safeguards” and containing new sections 10.1 through 10.3 of the Act. The new section 10.1 incorporates a test for breach reporting which emulates that found in Alberta’sPersonal Information Protection Act, the only legislation in Canada currently containing breach notification provisions. An organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” The definition of “significant harm” is an open-ended definition that includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property;
- creating offences for failure to comply with obligations related to data security breaches; and enabling the Privacy Commissioner, in certain circumstances, to enter into compliance agreements with organizations.
Enhanced Penalty Provisions
Clause 24 of Bill S-4 also modifies section 28 of PIPEDA to provide that every organization that knowingly contravenes the new sections of PIPEDA requiring organizations to record and report breaches of security safeguards or obstructs the Commissioner in the investigation of a complaint or in conducting an audit will now be liable for fines of up to $100,000 for indictable offences, or for fines of up to $10,000 for offences punishable on summary conviction. This provision would bring PIPEDA closer in line with Canada’s Anti-Spam Legislation (CASL), which provides for administrative monetary penalties for violations of the Act in amounts of up to $1,000,000 for individuals and $10,000,000 for other entities.
Reactions to Bill S-4
The Office of the Privacy Commissioner (OPC) supported the bill in its June 4, 2014, Submission to the Senate Standing Committee on Transport and Communication, stating that on the whole, the proposed amendments will strengthen the privacy rights of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In its Feb. 12, 2015, Submission to the Standing Committee on Industry, Science and Technology, the OPC endorsed its June 2014 submission, but provided additional comments in light of the seminal decision of the Supreme Court of Canada in R. v. Spencer. The OPC noted that carrying out a reasonable expectation of privacy analysis under PIPEDA is highly complex and contextual, leaving organizations in a state of uncertainty as to when they may or may not disclose personal information without a warrant. Therefore, the OPC urged the Committee to clarify when the common law policing powers to obtain information without a warrant can be used. The OPC recommended that a legal framework, based on the Spencer decision, is needed to help organizations comply with PIPEDA and ensure that state authorities respect the Supreme Court of Canada’s decision. The OPC concluded that passing Bill S-4 with a few adjustments will strengthen PIPEDA and help the OPC better protect Canadians while addressing the emerging privacy issues of the 21st century.
On the other hand, stakeholders and witnesses before the Committee raised various concerns regarding the privacy of individuals. On April 10, 2014, law professor Michael Geist of the University of Ottawa commented that the bill would expand the possibility of warrantless disclosure to anyone, not just law enforcement. Geist also appeared before the Industry Committee on March 10, 2015, noting that the broadly worded voluntary disclosure exception runs counter to Canadian court decisions, including the Spencer decision, which ruled that Canadians have a reasonable expectation of privacy with regard to personal information. Geist also noted that the bill lacks transparency and reporting requirements associated with personal information disclosure. This omission could be addressed by adding provisions that would require organizations to report on the number of disclosures made without consent or court oversight and to notify affected individuals.