Earlier this week, the government introduced new legislation, Bill S-4, known as the Digital Privacy Act, which undoubtedly will end all privacy issues forever in this country. Good news! Or is it? As usual, I’ve read the bill so you don’t have to. Let’s dive in.
So what does the bill do? Let’s go to the government press release, which states:
The Digital Privacy Act, introduced today in Parliament, will provide new protections for Canadians when they surf the web and shop online
Well that sounds pretty good! I’m all for more protections online. I like that they write “in Parliament” to hide the fact that it is actually a Senate bill. Wait, the Senate does things? Who knew?
So you start reading the bill, and the first thing they have is the summary. It’s like 15 paragraphs long, so I won’t reproduce it here. Basically, it outlines that the bill will amend PIPEDA (the Federal legislation that protects personal info in the private sector, but you knew that already) to do a bunch of stuff. Such as:
(b) permit the disclosure of personal information without the knowledge or consent of an individual…
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual…
Uh oh. Now of course I’ve left some stuff out for effect. This disclosure is only for certain types of cases. But we’re jumping ahead of ourselves here, we’ll get back to this. A bunch of the summary outlines how the Privacy Commissioner will have new powers. That’s a good thing! I’ve written on this blog a million times (estimate) how PIPEDA has no teeth because the Privacy Commissioner can do squat. Hopefully the bill changes that. We’ll see!
So the meat of the bill. From the beginning, something positive! They have specified the definition of “personal information”. It will now be: “personal information means information about an identifiable individual.” It used to have a qualifier at the end of that line: “but does not include the name, title or business address or telephone number of an employee of an organization”. Right, because you couldn’t identify an individual with that!
OK let’s get to the juicy stuff. PIPEDA section 7(3) describes when “an organization may disclose personal information without the knowledge or consent of the individual” and then goes on to list when that can happen. They are pretty limited for the most part. However, Bill S-4 is gonna add a juicy one:
(only if the disclosure is) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Geist has jumped all over this, and he’s right. He writes that, based on this provision, the bill “will open the door to massive warrantless disclosure of their personal information”. I think he’s being a bit hyperbolic (like me!) but he’s got a point. Take any copyright case. If I torrent something, I am (maybe) violating copyright law. The copyright owner, let’s say Voltage pictures, can just ask Vidéotron for all my personal info based on this clause. Vidéotron says sure, here ya go! And they don’t even tell me about, because they don’t have to. That’s, uh, not good. And look at the legal “standard” (such as it is) in this section – “reasonable for the purposes of investigating…”. That bar is so low it’s practically underground.
Another juicy one that is going to be added to the PIPEDA 7(3) list is the following:
(only if the disclosure is) of information that was produced by the individual in the course of their employment, business or profession and the disclosure is consistent with the purposes for which the information was produced;
Now you can see why they changed the definition of personal information. So they made this employment info “personal”, but then allowed its disclosure without the employee’s knowledge or consent? That’s good circular logic! So let me get this straight – my name, title, phone number, work email address are all personal info now. And if someone asks my employer nicely for this info, they can just say “sure, here you go!”? The fuck? Let’s move on to a new topic.
So under the bill there would be a mandatory reporting requirement of a privacy breach, which privacy lawyers have been clamoring for for years:
10.1 (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
Of course (because I bolded it), the breach must be reported only if it “creates a real risk of significant harm to an individual”. Who knows what the hell that is, but it seems like a pretty high threshold. “Significant harm” can include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” Well that’s just about anything. I am humiliated daily!
The bill tries to give some guidelines to help someone figure out when a “real risk of significant harm” is happening:
(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include
(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor.
That’s not so helpful. Whatever.
The reporting requirements also say that the organization who had a data breach (that creates a real risk bla bla) must report it to the individual(s) whose personal info was breached. That’s good! The bill also says that if an organization fails to report a breach when they should have, they can be fined up to $100,000. That’s… not so good. Look, I’m happy there are finally some fines under PIPEDA. But $100,000 is lunch money to a big organization. Compare that figure to the fines under CASL (the new anti-spam law) which can be up to $10 million. Now that’s a fine! And frankly the $100,000 is not “new” per se – it was in PIPEDA before, but now it can be applied to these breaches. And remember it’s not the breach itself that’s being fined – it’s the failure to report it. So breach away, organizations, just tell people and you’re cool!
So maybe the Privacy Commissioner’s new powers will be the enforcement mechanism PIPEDA needs instead of fines. Let’s take a look:
17.1 (1) If the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of a provision of Division 1 or 1.1 or a failure to follow a recommendation set out in Schedule 1, the Commissioner may enter into a compliance agreement, aimed at ensuring compliance with this Part, with that organization.
Compliance agreements! That are voluntary! Read that again – “the Commissioner may“. I have read the compliance agreement provisions five times now. Nowhere does it say that the organization who has violated PIPEDA must enter into such an agreement or even listen to the Commissioner. “Sorry Madame Commissioner, but we don’t feel like agreeing with you. Take your agreement and shove it.” “OK, thanks for your time!”
Well that about sums up the giant changes that will protect your personal information and privacy forever. To recap – some new questionable circumstances as to when your personal info can be transferred to another organization without your consent, some mandatory reporting requirements that have a pretty high threshold that is totally nebulous, and a new “enforcement” mechanism for the Privacy Commissioner that will probably be totally useless. I feel better already.
(Legal geeky post-script note – if you want to actually read how PIPEDA will look with all the new amendments under the bill, the fine folks at the Canadian Privacy Law Blog have you covered)