Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.
Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.
See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.
New Law to Protect the Personal Information of Canadians Online
Government of Canada's Digital Privacy Act comes into force
June 18, 2015 — Ottawa — Industry Canada
As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.
Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.
Under the Digital Privacy Act:
- Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
- Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
- The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
- Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
- All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.
"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry
"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada