Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

Just prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

The law also creates an explicit authority to enable the federal Privacy Commissioner to enter into a compliance agreement with an organization, where the Commissioner believes on reasonable grounds that the organization has, or is about to, contravene the Act.  If such an agreement is later contravened, the Commissioner will be able to apply to the Federal Court of Canada for a remedial order, even if the original limitation period for such an application has lapsed. The law also extends the limitation period for an application to the Federal Court for damages or injunctive relief to one year after the Commissioner issues a report of findings or otherwise discontinues an investigation. Previously, such applications had to be brought by either the Commissioner or a complainant within 45 days of a report of findings or discontinuation.

The Digital Privacy Act also imposes new requirements on the form of consent that the Act requires from individuals respecting the handling of their personal information. Going forward, any consent will be valid only if an individual to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use and disclosure of the personal information to which they are consenting. In introducing the bill originally, the government indicated that the revised consent provision is intended to better protect children and adolescents, although some have expressed concern that the proposed amendment may require “customized” consent language for a much broader range of constituencies. In light of the revised language, companies should review their existing privacy policies and requests for consent to the collection, use and disclose personal information in order to ensure that the intended audience will understand the nature, purpose and consequences of the data usage to which they are consenting. This is particularly true for businesses targeting children and youth, but could also extend to other potentially vulnerable groups, such as senior citizens and recent immigrants.

The law contains a number of amendments that are beneficial to the business community. For example, it expands the scope of “business contact information,” a category of personal information excluded from the application of the Act, to include any information that is used to communicate with an individual in relation to their employment, business or profession. In other words, the Act will not apply to business-contact information that is used solely for the purpose of communicating with an individual in relation to their employment, business or profession.

The Digital Privacy Act fills another important gap in PIPEDA, whereby companies currently require consent to disclose personal information to buyers, or potential buyers, of a business—creating complexities if the seller has not previously secured such consent through its privacy policy.  The law now includes an exception allowing for the use and disclosure of personal information, without consent, in the context of prospective or completed business transactions, such as the sale of a business or portion thereof.  Similar exceptions are currently available under both the Alberta and British Columbia private sector privacy laws.

One controversial change in the Digital Privacy Act is an amendment to PIPEDA that permits an organization to disclose personal information without consent to any other organization in connection with investigations of a breach of a law or agreement, or for the purposes of detecting, suppressing or preventing fraud. Many observers have raised concerns about the apparently broad scope of this provision, which could, for example, authorize internet service providers to disclose subscriber identities to copyright holders alleging online infringement.

Organizations doing business in Canada will want to review their privacy compliance programs to ensure compliance with the amended federal law, particularly with respect to breach reporting and breach record retention. Many will also be watching closely for the announcement of the date on which the data breach notification provisions come into force. In particular, businesses might be well advised to

  • Develop and implement policies and procedures respecting the creation and retention of records of all data breaches;
  • If they have not already done so, put together a specialized data breach response team, and protocols for the assessment of data breaches and potential reporting to affected individuals and regulators;
  • Review all documents and communications through which consent to the handling of personal information is obtained, to ensure that such communications will be meaningful to the intended audience;
  • Review and revise, as necessary, privacy policies and internal procedures respecting the situations in which the organization may disclose personal information to other organizations for the purpose of investigation breaches of law or for detecting, suppressing or preventing fraud, as well as what documentation will be required in order for such disclosures to be made.




2021 Chambers USA top ranked firm
U.S. News Law Firm of the Year 2022 Health Care Law
U.S. News Law Firm of the Year 2022 Health Care Law