On April 8, 2014, the federal government introduced Bill S-4 in the Senate, also known as the Digital Privacy Act. This bill marks the government’s third attempt since 2010 to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Bill S-4 introduces a new offence for failure to report privacy breaches and increased enforcement powers for the Federal Privacy Commissioner. The bill also establishes stronger rules to ensure that vulnerable Canadians fully understand the potential consequences when companies ask to collect and use their personal information.
These changes to protect Canadians’ personal information are key elements of Digital Canada 50, a plan for Canada’s digital future.
Breach Reporting
Bill S-4 imposes a mandatory data breach notification requirement. However, Bill S-4 reformulates the test for determining whether a particular data breach is reportable: while previous bills required an analysis of whether a breach was “material,” Bill S-4 shifts the question to whether the breach poses a “real risk of significant harm” to an individual. This standard for reportable breaches is similar to that under Alberta’s Personal Information Protection Act (Alberta PIPA).
Unlike the Alberta PIPA, however, Bill S-4 provides both a definition for “significant harm” and a list of factors to consider in determining the existence of a “real risk.” This additional guidance, as well as the body of decisions generated to date under the Alberta PIPA, may assist PIPEDA-regulated organizations in assessing whether any given data breach is reportable.
Bill S-4 also differs from the Alberta PIPA by requiring organizations to notify both the Commissioner and any affected individuals of any reportable data breach. Under the Alberta PIPA, organizations are first required to notify the Alberta Information and Privacy Commissioner, who may then order the organization to notify affected individuals.
New Offence
Bill S-4 adds teeth to its breach reporting and recording requirements. Under the proposed amendments, an organization that deliberately covers up a data breach by failing to report it or failing to keep a record of the breach (or knowingly destroying such records) is guilty of an offence punishable by fines of up to $100,000.
Business Exemptions
Bill S-4 contains a “business transaction” provision that will allow organizations to use and disclose personal information without consent in the context of mergers, acquisitions, financings, etc. (both during due diligence and post-closing), provided certain conditions are met.
The bill also amends the definition of personal information to remove the exclusion for business contact information but then exempts the collection, use and disclosure of business contact information from consent requirements under PIPEDA, if such information is collected, used and disclosed solely for the purpose of communicating or facilitating communication with an individual about his/her employment, business or profession. Importantly, “business contact information” is given a broad definition under the bill and will include business email addresses, which are not currently excluded from the definition of personal information under PIPEDA. Notwithstanding this exemption, organizations should be aware that any communication made through email must comply with requirements under Canada’s anti spam law (CASL) which comes into force on July 1, 2014. For assistance with CASL compliance, visit https://www.privatech.ca/privacy-consulting/casl-compliance-audit to learn about PrivaTech’s CASL compliance audit services or the CASL compliance toolkit.
Other Notable Provisions
Bill S-4 contains a number of other notable features, such as an extension of the timeline for an individual to apply for a court hearing and the necessary elements for valid consent. There are provisions that will require organizations to communicate clearly with their target audience when obtaining consent and to consider whether their target audience (including children) is able to understand the consequences of sharing their personal information.
The bill also includes several new exceptions to the consent requirement, including controversial provisions that would allow organizations to disclose personal information to other organizations without consent if such disclosure is reasonable for the purposes of investigating a breach of an agreement or contravention of the law. Critics of Bill S-4 fear the bill could massively expand warrantless disclosure of personal information. The bill also sets limited exceptions to allow personal information to be shared in situations where disclosure is needed to help protect individuals from harm, such as to protect seniors from financial abuse, communicate with the family of an injured or deceased individual, or detect and prevent fraud.
While Bill S-4 has only received first reading, there may be greater appetite to see this bill pass given the number of data breaches we have seen in the media in recent months, including identification of the Heartbleed bug, which exposed passwords on approximately half a million secure websites to theft. If Bill S-4 passes, it will significantly impact the privacy landscape in Canada.