Digital Privacy Act is Now Law
The Digital Privacy Act (Bill S-4) passed into law yesterday, introducing (among other things) significant fines and mandatory breach notification (not yet in force) into the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations which handle personal information in the course of their commercial activities will want to undertake a review of their privacy policies and security safeguards. In light of the new power to levy significant monetary penalties, boards of directors may want to review their organization’s allocation of risk around these issues.
All new measures under the Digital Privacy Act are now in force, except for the data breach requirements (see discussion below).
The Digital Privacy Act introduces some provisions that will improve the operation of PIPEDA (for instance, introducing targeted exceptions to the consent principle, and expanding the scope of “business contact information” that will not be treated as “personal information”). However, there are four areas that will be of significant concern to organizations: consent, mandatory breach notification, penalties and confidentiality.
The Act introduces a “sliding scale” of consent that could render existing consents null. The new section 6.1 states (emphasis added):
For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The government’s press release indicates that clear, simple language will be necessary to obtain valid consents from “vulnerable” Canadians, particularly children, to ensure they fully understand the potential consequences of providing their personal information online.
Previously, there was a “one size fits all” form of consent. Provided the consent was informed, and the purpose of collecting the personal information was clearly stated, that was sufficient. The new sliding scale of consent will cause difficulty for organizations.
The amended language appears to require organizations to assess the sophistication of the users of its websites, products, and services and determine whether such persons understand what they are reading and agreeing to. For an organization with a website that has millions of visitors across multiple demographics, this may be expensive and ultimately, unworkable. For instance, a clothing retailer may have an online catalogue of kids’ and teens’ clothes – is the target demographic kids and teens? Or their parents? Would an organization have to “gate” their webpage with a question about age that, once answered, directs that person to one of a variety of privacy policies? Similar questions will arise for mass-market apps that are attractive to all kinds of audiences.
The Act introduces a new set of obligations with respect to breaches of security safeguards or a failure to establish those safeguards. These will not be in force until the government crafts implementing regulations following a consultation with stakeholders and the Office of the Privacy Commissioner. No timeline has been provided for the implementing of any regulations.
Once these provisions come into force, organizations will be required to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Such report must be made “as soon as feasible after the organization determines that the breach has occurred”.
Organizations will also be required to notify a potentially affected individual of such breach, using a similar threshold.
The “as soon as feasible” requirement is likely to be challenging for organizations in the throes of a data breach, where facts are moving targets and it takes weeks (sometimes months) to understand what has happened. Organizations will be reluctant to provide anything too specific for fear of litigation risk down the road, and may in fact be required to issue multiple notices as an investigation evolves, leading to consumer confusion and “breach fatigue”.
Notice is required where there is a “real risk of significant harm” to an individual. The term “significant harm” is defined to include, among other things, “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.
Further, an organization encountering a breach will have additional reporting obligations to other organizations and government institutions if the breached organization believes the other organizations may be able to reduce their risk of harm as a result.
The Act introduces liability for knowingly violating the notification requirements. An organization may be liable for fines up to $100,000 per violation. It is unclear at this time whether a “violation” will include a single incident. (e.g. a single failure to notify all individuals) or each incident (e.g. each failure to notify each individual).
Faced with the risk of this kind of liability, organizations will likely be inclined to over-report, once again leading to “breach fatigue” in consumers.
Under the previous regime, while the Commissioner had the power to “name and shame” wrongdoers, the Commissioner was (with few exceptions) required to keep information that was provided to it confidential. The new Act now provides the Commissioner with the right to make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers as well as information in security breach notifications to the Commissioner. (s. 20)
This is likely to make organizations much less willing to make a full and frank disclosure to the Commissioner. In addition, organizations dealing with the Commissioner will now have to be concerned about ensuring their trade secrets and confidential information are adequately protected (potentially through sealing orders or similar mechanisms) as well as ensuring that, by providing information to the Commissioner, they are not in violation of their agreements with third parties or requests made by law enforcement.
Improvements to PIPEDA
(a) New Exemptions to Consent Requirements
The government used the Digital Privacy Act to introduce a number of sorely needed exemptions to consent requirements under PIPEDA. Of note, consent will not be required to:
- use personal information contained in a witness statement that is necessary to assess, process or settle an insurance claim
- use personal information produced by an employee in the course of their employment, business or profession
- disclose personal information to a government institution if the disclosing organization has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction
- disclose personal information made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada, or for the purposes of detecting or suppressing fraud or of preventing fraud
- use or disclose necessary personal information in association with a prospective business transaction, so long as the information is safeguarded and the information is returned or destroyed if the transaction does not proceed
The final provision is particularly welcome in transactional contexts where the vendor has not obtained the consents to share personal information for due diligence purposes in a deal. While courts have occasionally issued orders to permit such disclosures, this has always been a cumbersome and uncertain process for parties to a transaction.
(b) Business Contact Information
The Digital Privacy Act modernizes the “business contact” carve-out from the definition of personal information. It expands it by exempting any contact information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession. This amendment clarifies that a business e-mail address is not covered by PIPEDA so long as it is used for the appropriate purpose of contacting an individual in a work context.