Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation.
The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.
Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.
In light of revelations that telecom companies and Internet companies already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision is enormously problematic. Yet it pales in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
When might this apply?
Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy to disclose the names and addresses of thousands of subscribers. The federal court established numerous safeguards to protect privacy and discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers. If Bill S-4 were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy for the subscriber information, which could be legally disclosed (including details that go far beyond just name and address) without any court order and without informing their affected customer.
In fact, the potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (telecom companies, social media sites, local businesses) might resist disclosing information without a court order, the law would not require them to do so.
The resulting framework from C-13 and S-4 is stunning from an anti-privacy perspective:
- organizations could disclose subscriber or customer personal information without a court order to law enforcement with full legal immunity from liability
- organizations could disclose subscriber or customer personal information without a court order to any other organization claiming investigation of an actual or potential contractual breach or legal violation
- the disclosures would be kept secret from the affected individuals
- the disclosing organizations would be under no obligation to report on their practices or past disclosures
The government claims the Digital Privacy Act “will provide new protections for Canadians when they surf the web and shop online”. What it does not say that the same bill will open the door to massive warrantless disclosure of their personal information.