1. Overview On September 29, 2011, the Canadian government introduced Bill C-12 to amend the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy act. If passed into law, the Bill will alter the current form of PIPEDA in several important respects.
2. Key Proposed Amendments
(a) The Definition of “Personal Information”
Bill C-12 redefines “personal information” to remove the provision that business contact information is not personal information. Under PIPEDA, “personal information” is currently defined as “information about an identifiable individual”, excluding “the name, title or business address or telephone number of an employee of an organization”. The proposed changes, which are consistent with the definition in Alberta’s private sector privacy act, would remove the reference to business contact information, bringing it within the definition of personal information. A new exemption will be created that provides that protections granted to personal information do not apply to the newly defined “business contact information” when it is used “solely for the purpose” of communicating with an individual in relation to their “employment, business or profession”. This amendment would strengthen the protection available to business contact information, as it restricts the exemption to a prescribed class of uses rather than excluding such information from the application of PIPEDA altogether. “Business contact information” is now defined in Bill C-12 as an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.
(b) The Elements of Valid Consent
PIPEDA requires informed consent to collect, use or disclose an individual’s personal information. The validity of the consent is currently interpreted in the light of the “reasonable expectations” of the individual from whom it is sought. Bill C-12 seeks to clarify this provision by providing that consent will be valid only if it is reasonable to expect that the individual providing it understands “the nature, purpose and consequences of the collection, use or disclosure of personal information” to which they are consenting. Overall, this amendment would provide statutory guidance on what persons seeking consent to use personal information should disclose to the individual. Further, the government has indicated that this provision should provide increased protection to minors due to the fact that it is expected that the aforementioned reasonable expectation of an individual’s capacity to understand will vary with age.
(c) The “Business Transactions” Exception
Bill C-12 contains an important new exception to the requirement for informed consent to use and disclose personal information which will expressly permit companies entering or contemplating “business transactions” to use or disclose personal information in deciding whether to enter the transaction, or to complete it. The definition of “business transactions” includes the sale of a business, mergers, amalgamations, providing financing to an organization and leasing an organization’s assets. However, the exception will not apply to a business transaction in which the primary purpose or result of the transaction is the “purchase, sale or other acquisition or disposition, or lease, of personal information”.
In using or disclosing personal information in the course of a business transaction, an organization will be required to protect the information by means appropriate to its sensitivity, and use and disclose it only for purposes related to the transaction. If the transaction does not proceed, the personal information must be returned to the party that disclosed it, or be destroyed. After an organization has completed such a business transaction, it would only be permitted to use and disclose personal information under its control for the purposes for which the information was permitted to be used before the transaction, provided the information is necessary for the business activity that was the objective of the transaction, and provided one of the parties to the transaction notifies the individual to whom the information pertains within a reasonable time after the transaction has been completed.
(d) The Employment Relationship Exception
An additional exception would permit businesses to collect, use and disclose personal information without the consent of the individual in order to establish, manage or terminate an employment relationship between the business and that individual. However, prior to any such collection, use or disclosure, the business would have to inform the individual that his or her personal information may be collected, used or disclosed for those purposes.
(e) Disclosure without Knowledge or Consent
Bill C-12 clarifies that where an organization discloses an individual’s personal information to a government institution, without the individual’s knowledge or consent in accordance with a permitted purpose (e.g. for the purpose of enforcing any law of Canada), the organization will not be permitted to inform the individual about such a disclosure unless certain criteria have been met. Specifically, the organization that wishes to inform an individual about any such disclosure must first notify the concerned government institution in writing of its intention and shall not take action before the earlier of either 30 days after the institution has been notified or the institution has indicated that it does not object to such action. However, where a government institution does object, Bill C-12 states that it may only do so on the basis of certain prescribed grounds; e.g. if it is of the opinion that the action could reasonably be expected to be injurious to national security, the defence of Canada or the enforcement of any law of Canada. Finally, following such an objection, the organization must inform the federal Privacy Commissioner of the objection in writing.
(f) Investigation, Prevention and Detection
Bill C-12 has also clarified that an organization may disclose personal information without the knowledge or consent of an individual if the disclosure is necessary to (i) investigate a breach of an agreement, or a contravention of the laws of Canada or a province, that has been, is being or is about to be committed, or (ii) prevent, detect or suppress fraud when it is reasonable to expect that the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Additional language also now provides that organizations can disclose personal information without the knowledge or consent of an individual to a government institution, a part of a government institution or institution or the individual’s next of kin or authorized representative if the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse or the disclosure is made solely for purposes related to preventing or investigating the abuse. These proposed amendments will be very helpful to financial and other institutions tasked with such prevention efforts.
(g) Mandatory Breach Notification
Bill C-12 will also create important new mandatory reporting obligations on organizations subject to PIPEDA, requiring them to report any “material breach of security safeguards involving personal information under its control” to the federal Privacy Commissioner as soon "as feasible after the organization determines that a material breach of its security safeguards" has occurred. Such breaches will include the loss of, unauthorized access to, or unauthorized disclosure of personal information. In determining whether a breach is "material", organizations will be required to consider the sensitivity of the personal information involved, the number of individuals affected, and whether the cause of the breach or pattern of breaches is indicative of a systemic problem. Currently, only Alberta has an analogous mandatory reporting requirement, although Canada’s other Privacy Commissioners accept and encourage voluntary reports of security and data breaches.
Bill C-12 goes beyond the requirements in Alberta’s Personal Information Protection Act by additionally requiring organizations to notify individuals directly of any breach of security safeguards involving the individual's personal information under the organization's control if it is reasonable in the circumstances to believe that the breach “creates a real risk of significant harm” to the individual. In contrast, Alberta’s privacy law empowers the Commissioner to order the organization to notify an individual where the Commissioner deems it necessary. Under the new Bill, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Individuals would be permitted to file a complaint with the federal Privacy Commissioner if these procedures are not followed.
Bill C-12, and in particular, its provisions relating to business transactions and mandatory breach notification requirements, will be of interest to all organizations that collect and use personal information in Canada in the course of their commercial activities. Consequently, its future progress should be monitored in order to ensure continued compliance with Canada’s privacy laws.