[John Berry / Images.com] Click here to see full sized version.

The Minister of Industry recently tabled amendments to the federal private sector privacy legislation—the Personal Information Protection and Electronic Documents Act (PIPEDA). Two major amendments include breach reporting and notification requirements, and a consent exemption for the use and disclosure of personal information in business transactions.

PIPEDA was introduced in 2001 and has applied to many private sector enterprises since 2004. Section 29 of PIPEDA requires Parliament to review Part 1 of PIPEDA every five years, and the House Standing Committee on Access to Information, Privacy and Ethics (ETHI) completed that review in 2007. Over three years later, Bill C-29, the Safeguarding Canadians’ Personal Information Act, will amend PIPEDA in several significant ways.

Under Bill C-29, a breach is defined as loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organization’s security safeguards or from a failure to establish those safeguards. Only the Alberta statutory equivalent to PIPEDA, the Personal Information Protection Act, currently has a breach notification requirement, but under the Alberta statute, breaches must be reported to the Alberta privacy commissioner if there is the possibility of harm to even one individual. The Alberta commissioner will then determine if individual notification is required.

Under the PIPEDA amendments, on the other hand, organizations must report data security breaches involving personal information to the Privacy Commissioner of Canada only if they are determined to be “material.” Materiality would be assessed based on criteria that include sensitivity of the information, the number of individuals affected and whether the breach is indicative of a systematic failure of security.

Unlike the Alberta model, the commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Bill C-29 states that affected individuals must be notified if the organization deems the breach to pose a “real risk of significant harm.” Significant harm is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on one’s credit record and damage to or loss of property.

Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach, and must contain enough information to allow individuals to understand the significance of the breach. The form and manner of notice will be set out in regulations, which I presume will allow for notice to large groups of people through the mass media where it is not feasible to give individual notice.

Given that under Bill C-29 the organization itself determines whether the thresholds of “material breach” and “real risk of significant harm” are met, businesses may be left with a great deal of wiggle room for breach reporting and notification. Arguably, the absence of penalties for non-compliance in reporting breaches is a weakness of the bill as well. However, the bill may still have the desired effect, as public awareness and expectations are heightened on the appropriate response of an organization that fails to protect personal information.

Bill C-29 permits organizations to use and disclose, without the knowledge and consent of the individual, personal information related to “prospective business transactions,” as is the case in Alberta and B.C. A prospective business transaction is defined to include purchase or sale of a business, mergers and amalgamations, financings, leasings and joint ventures. The bill thus remedies a flaw in the current legislation that makes certain aspects of due diligence difficult. The parties must have entered into an agreement that requires the recipient to use and disclose the information solely for the purposes related to the transaction; to protect that information with appropriate safeguards; and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. It is also a condition that personal information be necessary to determine whether to complete the transaction.

If the proposed transaction successfully completes, there would be a post-closing notification to affected individuals whose personal information may have been disclosed. However, transactions where the primary purpose is the purchase, sale or other acquisition of personal information (i.e. the primary or sole asset is a customer database), will not be covered by this new consent exemption.

Other key proposed amendments include:
- An expanded carve-out for business contact information, and new consent exceptions for work product information and employee information in the federally regulated sectors;
- Clarification that consent required is only valid if it is reasonable to expect that the individual understands how and why their information is being collected, used or disclosed; and 
- Clarification on the meaning of lawful authority for the purposes of disclosing personal information to government institutions without knowledge or consent of the individual.

While the proposed amendments do not address every recommendation of the ETHI, they will certainly bring PIPEDA more in line with the similar provincial statutes of Alberta and B.C., and represent a necessary upgrading of a statute that impacts many private sector enterprises on a daily basis.

Fazila Nurani is the president and founder of PrivaTech Consulting. She is a privacy lawyer and an information management consultant, as well as a Certified Information Privacy Professional in Canada. She advises organizations in a wide range of industries on privacy best practices.