Proposed Amendments to PIPEDA to Include Breach Notification Requirement
The bill would specify the meaning of "valid consent" to require that individuals understand the "nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting."
PIPEDA currently carves out certain business-related contact information from its definition of "personal information." Bill C-29 would formally codify these exceptions in a proper "Business Contact Information" clause that would exempt from PIPEDA any information "the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession."
The bill would also introduce a broad exception that would allow the use and disclosure of personal information in the context of prospective or completed business transactions such as mergers and acquisitions, financings, leases, licences and securitizations. This exemption would not apply, however, where the transaction’s primary purpose is the purchase, sale or lease of personal information.
Bill C-29 would also add new exceptions to allow the collection, use and disclosure of personal information without an individual’s consent. The new exceptions would apply to personal information that is (i) contained in a witness statement related to an insurance claim; (ii) produced in the course of employment, or to establish, manage or terminate an employment relationship; (iii) required to communicate with next-of-kin; (iv) required for policing services; (v) disclosed to prevent, detect or suppress fraud or financial abuse; or (vi) used to identify injured, ill or deceased individuals.
The bill also clarifies the existing exception for disclosure to a lawful authority, by noting that organizations do not require a subpoena, warrant or court order before disclosing personal information required as part of a formal government investigation. Nor is the organization required to verify the validity of the lawful authority before complying.
Under Bill C-29, the biggest change to PIPEDA would be the introduction of a reporting and notification requirement for privacy breaches. Specifically, in the event of a breach of security safeguards that protect personal information:
- An organization would be required to report to the federal privacy commissioner "any material breach of security safeguards involving personal information under its control." The bill sets out a non-exhaustive list of factors to be considered in determining materiality, including the sensitivity of the information, the number of individuals involved, and the cause of the breach.
- If it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to any individuals, the organization must notify those individuals of the breach. Significant harm is defined in the bill to include "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property."
- The organization would also be required to notify any third-party company or government body of the breach if notification might mitigate the harm of the breach.
McCarthy Tétrault Notes
Many of the changes found in Bill C-29 would simply serve to formalize or clarify existing duties and exceptions under PIPEDA. The consent exception related to information "to establish, manage or terminate employment relationships" will come as welcome news to federally regulated employers. Likewise, the business transactions exception should make the due diligence process involved in selling businesses easier. Both these changes also bring PIPEDA into alignment with the private sector privacy legislation in Alberta and BC, which currently have similar consent exceptions in those circumstances.
The addition of the provision on "valid consent" was intended to provide clarity but may in fact introduce greater uncertainty. A broad application of the "nature, purpose and consequences" requirement imposes a heavy burden on businesses, and could be difficult to satisfy.
As for mandatory breach notification the federal government is following in the footsteps of the Alberta government, which recently enacted a breach notification rule in its Personal Information Protection Act (PIPA). The two rules, however, differ in several important respects.
- Threshold — PIPEDA would require organizations to notify the federal privacy commissioner of "material" breaches, while PIPA requires commissioner notification when there is a real risk of significant harm to an individual. While the number of individuals affected by the breach is one factor in determining whether a breach is reportable to the commissioner under PIPEDA, a breach in Alberta is reportable even if only one individual is at risk. So breaches that are reportable under PIPA may not be reportable under PIPEDA.
- Decision-maker — Under PIPA, the Alberta privacy commissioner determines whether organizations need to notify individuals. PIPEDA, once amended, would require organizations to make that call based on their own assessment of whether there is a real risk of significant harm to an individual. If that risk arises, organizations must notify the individual, even if they do not have to report the breach to the commissioner because the breach does not meet the materiality threshold.
- Enforcement — Under PIPA, individuals and organizations can be fined up to $10,000 and $100,000 respectively for failing to notify the commissioner of a breach. Bill C-29, by contrast, does not propose specific penalties for non-compliance with the PIPEDA notification requirements. (That said, the federal privacy commissioner can investigate privacy complaints, conduct its own investigations and audit an organization’s information handling practices. As well, the Federal Court can award damages for contraventions of PIPEDA.)
Should Bill C-29 be enacted, organizations that collect, use or disclose significant amounts of personal information will wish to re-examine their privacy policies, their privacy breach protocols, and their information security measures. Should the mandated breach notifications come into force, the potential for reputational harm will increase — further underscoring the importance of adequate personal information safeguards.