Industry Minister Tony Clement introduced two bills yesterday – the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians' Personal Information Act (C-29). I have spoken positively about C-28 (here, here, and here), which is long overdue and should receive swift passage. By contrast, C-29 is a huge disappointment. The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007.
Just over three years later, the government has introduced a bill that does little for Canadians' privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes). The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere. In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.