Tuesday, May 25, 2010

Breach notification amendments to PIPEDA introduced in Parliament

Industry Minister Tony Clement has tabled legislation to amend PIPEDA, requiring data breach notification. (I haven't seen the text of the bill yet, but will provide a link as soon as I get my hands on it).

From the preliminary coverage (Firms not required to inform victims of privacy breach under new rules), it appears the new rules will be the same as Alberta's only requiring notice to affected individuals if the company determines there exists a "real risk of significant harm". Critics suggest that this threshold is too low or leaves too much discretion in the hands of companies.

Here's the press release, which outlines other amendments being made to PIPEDA:
Government of Canada Moves to Enhance Safety and Security in the Online Marketplace

OTTAWA, ONTARIO--(Marketwire - May 25, 2010) - The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

"Canadian shoppers should feel just as confident in the electronic marketplace as they do at the corner store," said Minister Clement. "With today's two pieces of legislation, we are working toward a safer and more secure online environment for both consumers and businesses — essential in positioning Canada as a leader in the digital economy."

"Our government believes that personal information should be no less secure when shared online than anywhere else. That is why we are taking steps to ensure it is better protected," said Minister of State Lebel. "These measures will empower and better protect consumers while ensuring that Canadian businesses can continue to compete in the global marketplace."

To address public concerns about the increasing number of data breaches involving personal information, PIPEDA proposes a new requirement for organizations to report material data breaches to the Privacy Commissioner of Canada and to notify individuals where there is a risk of harm. This requirement will complement the government's recently enacted identity theft legislation and encourage better information security practices on the part of organizations.

PIPEDA also proposes amendments related to protecting the privacy of minors and other vulnerable individuals online. Other amendments are designed to clarify and streamline rules for business and support effective investigations by law enforcement and security agencies.

The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.

The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.


Government of Canada Introduces Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Government of Canada has introduced enhancements to private sector privacy legislation in a bill seeking to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). In doing so, the Government is implementing the Government Response to the first statutory review of PIPEDA and is delivering on a commitment made by the Minister of Industry at the June 22, 2009, forum entitled Canada's Digital Economy: Moving Forward.

In a modern, information-based economy, or "digital economy", a solid, efficient regime for the protection of personal information is vitally important for both consumers and businesses.

To ensure that PIPEDA continues to keep pace with rapid marketplace and technological changes, and their societal impacts, the proposed amendments in this Bill are designed to:

protect and empower consumers;

clarify and streamline rules for business;

enable effective investigations by law enforcement and security agencies; and,

make linguistic and other technical drafting corrections.


The proposed amendments will make a significant contribution to the government's efforts to ensure a safe and secure Internet for Canadians. A key proposed amendment would require organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the organization deems the breach to pose a real risk of significant harm, such as identity theft or fraud, or damage to reputation. This amendment will not only provide consumers with the information they need to mitigate harm resulting from a breach of their personal information, it will also encourage better information security practices in organizations. This proposed amendment will complement the government's new identity theft law, An Act to amend the Criminal Code (identity theft and related misconduct).

Acknowledging the increasing Internet usage rates of children, Canada is working with a number of international organizations to develop strategies to better protect children online. The Bill proposes an amendment to PIPEDA's consent regime that will provide further protection for children online by requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information.

The Bill also proposes additional exceptions to allow for the release of personal information to help protect victims of financial abuse, to help locate missing persons and to identify injured, ill or deceased individuals.


In its October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics, the Government committed to supporting business by providing greater clarity and certainty with respect to key provisions of PIPEDA. The Bill proposes exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes ("work product"), and information used for due diligence in business transactions. Organizations will also be able to share and use business contact information that is required to conduct day-to-day business.

In addition, a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.


Another key thrust of the Bill is supporting effective law enforcement. The Government considers the safety and security of Canadian citizens to be of utmost importance. Proposed amendments will reaffirm the view that the information needs of law enforcement and security agencies can be met while respecting the privacy rights of Canadians. Proposed amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order. To avoid jeopardizing investigations, new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.


Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in the course of commercial activity. It has been in force since January 1, 2001, and is mandated to be reviewed by Parliament every five years.

This Bill acts on the Government's October 2007 Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics arising from the first Parliamentary review of the Act. The Government Response addressed each of the 25 recommendations contained in the Committee's report and committed to amending the Act in agreement with many of the Committee's recommendations.

In its report, the Committee recognized that the Act is working well and does not require major changes at this time. The Committee recommended the "fine-tuning" of some of the Act's provisions and encouraged increased harmonization with provincial privacy laws.

Industry Canada, which administers the Act, conducted formal consultations with stakeholders in order to further develop and define options for implementing the Government Response to the Committee report. The Government received 76 written submissions, and officials held more than 25 meetings involving a wide range of stakeholders including business, consumer and privacy advocates, the Privacy Commissioner of Canada, provincial governments and law enforcement authorities.

Where possible, the proposed amendments take into consideration approaches taken in provincial privacy laws.

Update: Here is the First Reading text of Bill C-29.

No comments: