Proposed Amendments to PIPEDA: A Change for the Better?

Amanda Carpenter is a JD Candidate at Osgoode Hall Law School.

On Tuesday, May 25 the Government of Canada introduced Bill C-29 to amend the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) in order to create a more secure online environment for both consumers and businesses. To provide a brief overview, PIPEDA sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of commercial activity. Commercial activity is defined in the Act as meaning “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. The Act is mandated to be reviewed by Parliament every five years, and the tabled legislations to amend the legislation are a result of its first review.

The government has decided that major changes to the Act are not needed at this time, but the legislation could benefit from what it calls some minor changes to "fine-tune" some of its provisions. Some of the amendments include a mandatory breach notification and exceptions to the consent requirement for business contact information. The new sections 10.1 and 10.2 are the mandatory breach notification provisions that require organizations to report data breaches to the Privacy Commissioner of Canada and to notify affected individuals and certain organizations when the breaches are deemed to pose a real risk of significant harm. Real risk is defined as based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. Significant harm is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

The exceptions to the consent requirement for business contact information have been introduced to enable personal information to be released to help protect potential victims of financial abuse, to assist in identifying injured, ill or deceased individuals and to contact their next of kin. More interesting amendments include the enhancements to the consent provisions of the Act that are being proposed to further protect the personal information of minors. Section 6.1 stipulates that consent is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. Also changed is the exclusion of Business Contact Information (meaning an individual’s name, position name or title, work contact details, etc.) from the application of the statute if that information is used for managing the employment relationship, produced for work purposes, and used for due diligence in business transactions.

Some find these changes to be worrisome, particularly the “gag order” provision that is an addition prohibiting an organization from notifying an individual that information has been requested or obtained by a government institution if the government institution to whom the information was disclosed objects. This provision was added in order to protect the secrecy and integrity of investigations by law enforcement and security agencies. Michael Geist, the Canada Research Chair of Internet and E-commerce Law at the University of Ottawa, calls the “gag order” provision problematic since it encourages business to disclose personal information without court oversight. He is also concerned in regards to the lack of penalties regarding the security breach notification provisions that may result in organizations not notifying individuals of the breach of their personal information. He calls Bill C-29 the “Anti-Privacy Privacy Bill” since he is of the opinion that it does little for Canadians’ privacy and instead provides new exceptions for businesses and new powers for law enforcement.

The Government of Canada reports that the new requirements for reporting data breaches will complement the new identify theft legislation, as they will give consumers the information they need to protect themselves against identity theft arising from the loss or theft of their personal information. Others might comment with worry on the “gag order” provision that allows the government to monitor individuals without court approval, possibly contributing to the development of a police state. Regardless of whether these proposed amendments are for the better or worse, PIPEDA will likely be soon undergoing changes, changes that the government has decided are minor but that others might see as altering privacy law in Canada significantly.