On June 18, 2015, the Canadian Parliament passed into law the Digital Privacy Act (the “Act”), which amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to businesses in every Canadian province except British Columbia, Alberta and Quebec; however, businesses in those provinces may become subject to PIPEDA if they operate in federally-regulated sectors or if personal information that originated in their province crosses provincial borders. Although many of the Act’s provisions will come into force on June 18, 2015, certain key features, such as the mandatory breach notification requirement and the mandatory record-keeping requirement, will not come into force until regulations are issued by the Canadian government. This blog post summarizes some of the Act’s key provisions.
Alston & Bird would like to thank Alex Cameron at Fasken Martineau for his research and assistance regarding the new Digital Privacy Act. For more information regarding the Digital Privacy Act please review Fasken Martineau’s bulletin.
Mandatory Data Breach Notification Requirement
Section 10.1 of the Act sets forth the mandatory data breach notification requirement. Pursuant to this provision, organizations that are subject to PIPEDA must notify the Office of the Privacy Commissioner of Canada (the “Commissioner”), as well as potentially affected individuals, about a data breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” Such notification must occur “as soon as feasible” and should include “sufficient information to allow the individual to understand the significance . . . of the breach and to take steps . . . to reduce the risk of harm that could result from it or mitigate the harm.” The Act includes relevant factors to consider when determining whether there is a “real risk of significant harm.” Furthermore, the Act specifically defines “significant harm” as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” If the affected organization finds that another governmental institution or organization may be able to reduce or mitigate the risk of harm, that organization shall have an obligation to notify such other governmental institutions or organizations.
Mandatory Record-Keeping Requirement
Another new provision of the Act, which is not yet in force, is the mandatory record-keeping requirement. Pursuant to this requirement, organizations that are subject to PIPEDA, must “keep and maintain a record of every breach of security safeguards involving personal information under its control.” Furthermore, upon request, the organization must provide the Commissioner with the record.
In order to comply with this new requirement, Canadian organizations will want to ensure that they have the necessary procedures, safeguards, and policies in place to adequately address and respond to data breaches.
Enforcement and Penalties
In order to enforce these two new requirements, the Act has set forth enforcement provisions and penalties. If an organization knowingly violates the breach notification requirement or the breach record keeping requirement, the organization may be fined up to $100,000 Canadian Dollars.
The Act has also amended the standard for consent, and has added new exemptions for consent. Consent is necessary where personal information is being accessed, collected, used, transferred, or disclosed. The new graduated consent standard states that consent is only valid if it is reasonable to expect that the affected individual would “understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” Thus, in order to ensure that the applicable consent is valid, Canadian organizations should be very clear and explicit in their notices, privacy terms, or other documentation.
The Act contains numerous exemptions for consent. Examples of the new exemptions include when organizations need to disclose personal information to investigate a breach of a contract, law or fraud, and when employee personal information is accessed, collected, used, or disclosed for matters involving such employment. One of the most far-reaching exemptions is the business transactions exemption. Under the business transactions exemption, businesses and organizations may access, collect, use or disclose personal information in connection with a business transaction (e.g., bankruptcy, merger or acquisition), provided that such organization enter into an agreement that ensures that the business receiving the personal information has the appropriate security safeguards and that the personal information is necessary for the proposed transaction. If the business transaction completes, the businesses must enter into an agreement that requires them to only use and disclose personal information for the purposes for which it was initially accessed, collected, used or disclosed, protect the information, and give effect to the withdrawal of consent.