Industry Minister Tony Clement introduced two bills yesterday – the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians' Personal Information Act (C-29). I have spoken positively about C-28 (here, here, and here), which is long overdue and should receive swift passage. By contrast, C-29 is a huge disappointment. The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007.
Just over three years later, the government has introduced a bill that does little for Canadians' privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes). The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere. In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.
The New Business Exceptions
The business exceptions address several issues:
- The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses. This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address. The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools.
- The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions. The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.
- The bill creates a new exception for the collection, use, and disclosure of personal information contained in a witness statement related to an insurance claim.
- The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment. There is also an exception for the employer collection, use, and disclosure of employee information to "establish, manage or terminate an employment relationship."
- The bill creates a new exception for businesses that voluntarily disclose personal information to other organizations for the investigation the breach of an agreement that has been, is being, or is about to be committed. This exception also extends to disclosure to "prevent, detect or suppress fraud."
Law Enforcement Provisions
Law enforcement also benefits from new provisions, which could have a significant on businesses and individual Canadians.
- The bill purports to clarify "lawful authority" (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn't clarify much of anything. Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority.
- Once a business has disclosed personal information to law enforcement, the bill includes a provision blocking it from disclosing the disclosure to the affected individual. This USA Patriot Act-like provision includes detailed rules on how such disclosures can occur, including mandatory delays and government notifications. In other words, once a business has disclosed personal information, the bill strongly encourages it to keep its proverbial mouth shut.
Security Breach Disclosure
As for individuals, there is a notable clarification of the meaning of consent, but the big addition is the creation of a security breach disclosure requirement. Unfortunately, the proposed approach is extremely weak when compared with similar statutes elsewhere. The security breach requirements include:
- A requirement to report an "material breach of security safeguards involving personal information under its control" to the Privacy Commissioner. The organization determines whether the breach is material, having regard to the sensitivity of the information, the number of individuals affected, and whether there is a systemic problem.
- A second requirement to report to individuals affected by the breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual." The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused. The notification must be given "as soon as feasible." Notifications may also go to other other organizations if doing so may reduce the risk of harm.
While this is better than the current situation where there is no security breach disclosure requirement, it is far less than the rules found elsewhere. This proposal sets a very high threshold for disclosure, contains no clear penalties for non-disclosure, and does not feature a private right of action that might be used by individuals to further encourage compliance.
By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm). Moreover, the California law requires disclosure in the most expedient time possible and without unreasonable delay – far quicker than the Canadian proposal.
Some states also establish tough penalties for failure to promptly notify. For example, Florida's law provides for penalties of up to $500,000 for failure to notify and up to $50,000 for failure to document non-notifications of security breaches. Michigan's penalties run up to $750,000. Moreover, some states (such as Louisiana and New Hampshire) establish private rights of action that provide for civil actions to recover actual damages sustained by individuals in cases of security breaches. Proposed language in Canada from the Uniform Law Conference of Canada's model data breach notification statute also envisions penalties for non-compliance (though it also includes a "significant harm" threshold).
Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices. When combined with the rest of the bill – which includes new exceptions for work product, new barriers to disclosing disclosures and further encourages disclosures without court oversight – C-29 does not do nearly enough to advance the Canadian privacy law framework in a manner that actually protects personal privacy.