The proposed changes to PIPEDA aim to strengthen consumer protections, clarify rules for businesses, and support law enforcement. Key changes include more detailed consent requirements, new consent exceptions for employment and business transactions, clarified rules around business contact information, and new data breach notification requirements for organizations. The breach notification requires informing individuals and the Privacy Commissioner if a privacy breach creates a real risk of significant harm. Overall the changes are seen as relatively uncontroversial and intended to remedy gaps and issues in the original PIPEDA legislation.
Original Description:
November 30 2010 presentation on Bill C-29, which will amend Canada's federal privacy law, PIPEDA.
The proposed changes to PIPEDA aim to strengthen consumer protections, clarify rules for businesses, and support law enforcement. Key changes include more detailed consent requirements, new consent exceptions for employment and business transactions, clarified rules around business contact information, and new data breach notification requirements for organizations. The breach notification requires informing individuals and the Privacy Commissioner if a privacy breach creates a real risk of significant harm. Overall the changes are seen as relatively uncontroversial and intended to remedy gaps and issues in the original PIPEDA legislation.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online from Scribd
The proposed changes to PIPEDA aim to strengthen consumer protections, clarify rules for businesses, and support law enforcement. Key changes include more detailed consent requirements, new consent exceptions for employment and business transactions, clarified rules around business contact information, and new data breach notification requirements for organizations. The breach notification requires informing individuals and the Privacy Commissioner if a privacy breach creates a real risk of significant harm. Overall the changes are seen as relatively uncontroversial and intended to remedy gaps and issues in the original PIPEDA legislation.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online from Scribd
November 30, 2010 Mark Hayes, Hayes eLaw LLP Legislative History • PIPEDA introduced 2001 • May 2007: Reviewed by Standing Committee on Access to Information, Privacy and Ethics – 25 recommendations • May 2010: Bill C-29 introduced • 2nd reading October 2010 • Not yet in committee Legislative History • Government says 4 categories of changes: – protect and empower consumers – clarify and streamline rules for business – support effective law enforcement and security investigations – address technical issues My Classification • Consent • Consent exceptions • Business contact information and business transactions • Employment information • Computer information collection • Breach notification • Commissioner investigations Consent • “Valid” consent (new s. 6.1) – individual must understand “nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting” • Precise effect of new provision unclear • Likely that more detailed disclosures will be required about proposed uses of personal information New Consent Exceptions • Collection: – PI contained in witness statement related to insurance claim (s. 7(1)(b.1) – PI produced in course of employment or to establish, manage or terminate and employment relationship (s. 7(1)(b.2)) • Use: – PI contained in witness statement related to insurance claim (s. 7(2)(b.1) – PI produced in course of employment or to establish, manage or terminate and employment relationship (s. 7(2)(b.2)) New Consent Exceptions • Disclosure: – To communicate with next-of-kin (s. 7(3)(c.1)(iv)) – For purpose of policing services (not otherwise exempted) (s. 7(3)(c.1)(v)) – To another organization and disclosure is necessary • to investigate breach of agreement or contravention of the Canadian law that has been, is being or is about to be committed, or • to prevent, detect or suppress fraud when reasonable to expect that notifying individual would undermine prevention, detection or suppression of fraud (s. 7(3)(d.1)) New Consent Exceptions • Disclosure: – To government or next of kin to prevent, detect or suppress fraud or financial abuse (s. 7(3)(d.2)) – To government or next of kin where necessary to identify injured, ill or deceased individuals (s. 7(3)(d.3)) • If individual alive, must give notice in writing of disclosure • This last requirement seems odd – PI contained in witness statement related to insurance claim (s. 7(3)(e.1) – PI produced in course of employment or to establish, manage or terminate and employment relationship (s. 7(3)(e.2)) Lawful Authority • Some clarification in s. 7(3.1) • Not required to: – Obtain subpoena, warrant or court order before disclosing personal information required as part of a formal government investigation – Verify the validity of lawful authority before disclosing information • Debate about what lawful authority police have will likely continue Business Contact Information (BCI) • Currently, BCI narrowly defined but completely excluded from definition of PI – Information excluded limited to specially listed categories (name, title, business address or telephone number) – May not include business e-mail Business Contact Information (BCI) • New s. 4.01 would: – Provide a non-exhaustive definition of BCI • “name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address” • Plus “any similar information” – Require that collection, use or disclosure of BCI must be “solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession” Business Contact Information (BCI) • Unclear how far definition of BCI will extend – Probably has to be information that could be used to contact individual • Effect of qualifying as BCI is to exempt all collection, use and disclosure from PIPEDA – What happens if use goes beyond restrictions? – Is information no longer BCI forever? • Must read this change in conjunction with FISA (C-28) discussed by Fraser Business Transactions • New s. 7.11 gives broad exception to allow use and disclosure of PI without consent • Prospective or completed business transactions – Include mergers and acquisitions, financings, leases, licenses and securitizations – Not applicable if primary purpose of transaction is purchase, sale or lease of personal information • Must have agreement requiring PI disclosure • PI must be necessary to considering or completing transaction Business Transactions • PI use in transactions potentially much simpler • Purchaser may use and disclose PI if: – Parties enter into agreement to: • Use after closing same as before transaction • Apply appropriate security safeguards • Give effect to any withdrawal of consent – PI necessary to carry on business – One party notifies individuals post-closing about transaction and disclosure of PI Employment Information • New s. 7.2: Organization may collect, use and disclose PI without consent if: – Collection, use or disclosure necessary to establish, manage or terminate employment relationship – Employer has informed the individual that PI will be or may be collected, used or disclosed for those purposes • Welcome addition to remedy glaring omission in original PIPEDA • New s. 7.3: Employer may use and disclose PI that qualifies under s. 7.2 for purposes other than those for which PI was collected Computer Information Collection • New s. 7.1: Consent exemptions for collection and use do not apply to: – Collection of “electronic addresses” by means of a specialized computer search program – PI collected by accessing a computer system in contravention of federal law • Probably referring to Sections 342.1 and 326 of Criminal Code – Note that this overrides journalism exception in s. 7(1)(d) has been little objection this far Breach Notification • New s. 10.1: Organization must report any material breach of security safeguards to PCC • Materiality depends on: – Sensitivity of PI – Number of individuals whose PI was involved – If cause of breach indicates systemic problem Breach Notification • New s. 10.2: Must also notify individual if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual” – ““Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property” • Factors for significant harm are sensitivity of PI and probability that the personal information has been, is being or will be misused Breach Notification • Both 10.1 and 10.2 require notification to be given in accordance with regulations and to be done “as soon as feasible” – This timing requirement may be too stringent • New s. 10.3 permits further notification to another organization or government body if they can reduce the potential harm – Again subject to unspecified regulations Commissioner Investigations • Several minor tweaks • PCC given more discretion in s. 12.1 to decide whether to investigate a complaint and what to do in the course of an investigation • S. 22 adjusted to make clear the extent of defamation exemption for PCC relating to investigations and reports In Conclusion…. • In general, proposed changes are relatively uncontroversial and welcome “fixes” • Employment and business transaction changes make PIPEDA more business friendly and dovetail with Alberta and BC PIPAs • Breach notification seems to have struck the right compromise questions remain about how PCC will handle notification volume Thank you!
If you would like a copy of
these slides, please leave me a card or email me at mark@hayeselaw.com