News RSS

October 7, 2015

Recent amendments to Canada’s private-sector privacy legislation: What does it mean for your business?

By Paul K. Grower and Anthony R. Foderaro

On June 18, 2015, Canada’s Digital Privacy Act came into force, implementing amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy legislation that regulates the collection, use and disclosure of personal information by private-sector organizations.

While Manitoba has recently passed its own provincial private-sector legislation by way of the Personal Information Protection and Identity Theft Prevention Act, it is not yet in force and has not been declared “substantially similar” to PIPEDA such as to stand in place of PIPEDA within Manitoba. Therefore, PIPEDA remains as the regulating authority over Manitoba businesses, with its recent amendments standing to substantially affect businesses’ operations in respect of their customers, clients and other organizations. It is therefore important for businesses who collect, use or disclose personal information in their dealings to consider, and plan for, the key changes that have been made to PIPEDA.

Key change: “Valid” consent

The Digital Privacy Act has supplemented PIPEDA’s consent requirement, adding a provision to the effect that consent must not only be informed, but that it must be “valid.” Now, under PIPEDA, consent is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of their personal information. PIPEDA now makes it clear that the validity of an individual’s consent will depend on their sophistication—as stated in the government’s news release on these amendments, businesses need to use clear, simple language when communicating to ensure that all Canadians, particularly vulnerable individuals, such as children, fully understand the potential consequences of providing their personal information.

Therefore, a “standard, boilerplate consent form” that businesses may tend to rely upon, and use indiscriminately from individual to individual, may no longer be satisfactory. Businesses should therefore analyze their current privacy policies and consent notices to ensure that they are sufficiently clear, with attention paid to the sophistication level of their targeted audience. 

Key change: A mandatory breach notification requirement

PIPEDA now includes a mandatory data security breach notification regime. While the date this regime will come into force has not yet been set, businesses should now take note of its requirements and prepare accordingly.

These provisions require that in the event that an organization suffers a data security breach, organizations are required to both file a report with the Privacy Commissioner and notify the relevant individual(s), if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to the individual(s). The organization may also be obliged to notify any other organizations or government institutions if these parties may be able to help reduce the harm that could result from the breach. These notifications are to be done as soon as feasible and, in regard to notifying the individual affected, must contain sufficient information to allow him or her to understand the significant of the breach and to take steps to mitigate it.

The “significant harm” threshold is defined in PIPEDA to include such circumstances as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

Further, organizations are required to keep records of every data breach and may be called upon by the Privacy Commissioner to produce them.

The penalty for failure to report a data security breach or for failure to keep adequate records is high—organizations may be liable for fines of up to $100,000 per violation. At present, it is unknown whether the term “per violation” refers to the number of individuals affected or the number of incidents. Further clarification should be provided in the future.

Key change: Confidentiality  

Thirdly, the amendments have significantly broadened the Commissioner’s right to publicize information received in the course of his or her duties. PIPEDA now states that the Commissioner may make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties, including any information contained in breach notification reports or privacy audits. Prior to the amendments, the Commissioner had a limited power to make public any information specifically relating to the personal information management practices of an organization if such was in the public interest.

Key change: business-friendly exemptions to consent requirements

Lastly, of interest to businesses, the amendments have introduced the following exemptions to the consent requirements for collection, use and disclosure of personal information:

1. The “business contact information” exemption

PIPEDA now provides that an organization may collect, use and disclose individuals’ “business contact information” without the consent of the individuals. The term “business contact information” has been defined in PIPEDA to include such information as the individual’s name, position name or title, work address, work telephone number, work fax number, and work e-mail address.

Importantly, this exemption only applies where the collection, use or disclosure of that information is used solely for the purposes of communicating or facilitating communication with an individual in relation to their employment, business or profession. PIPEDA will continue to prohibit organizations from disclosing contact information for general purposes, such as mass-marketing, to parties without prior consent.

2. The “business transaction” exemption

Further, PIPEDA now authorizes organizations to use and disclose individuals’ personal information without the knowledge or consent of the individuals in the context of performing due-diligence in relation to a prospective business transaction. PIPEDA has defined what is a “business transaction” for these purposes, to include such circumstances as a merger, acquisition, purchase, sale, and other arrangements.

For the exemption to apply, organizations must enter into an agreement requiring the recipient of the personal information to use it only for purposes related to the proposed transaction, as well as to protect the information with appropriate security safeguards. If the transaction does not proceed, the recipient must either return the information to the disclosing organization, or destroy it within a reasonable time.

This exemption, however, is not unlimited – only information that is necessary to determine whether to proceed with the transaction may be used or disclosed under this regime.

Paul K. Grower is a partner with Fillmore Riley LLP who practises primarily in the areas of taxation litigation, general commercial litigation, and privacy law. You can reach him at (204) 957 8369 or Anthony R. Foderaro is completing his articles at Fillmore Riley LLP. You may reach him at (204) 957 8390 or