1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

On April 8, 2014, Canada’s government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 is the federal government’s latest attempt to reform the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). It would be a mistake to say that it is largely recycled from the government’s last attempt to reform PIPEDA in 2011 through Bill C-12, which died on the order paper. Here’s what’s different, what’s been dropped, and what seems to be largely the same. Caveat: This is a first read!

What’s different?

  • Fines for Failure to Record and Report Breaches. First the big news: The government is proposing that it would be a criminal offence for an organization to knowingly fails to keep prescribed records for breaches (see below) or to knowingly fail to report breaches in compliance with PIPEDA (also below). These offences would be punishable by fines of CAD$100,000 (indictable offence) and CAD $10,000 (summary conviction). To facilitate this provision, the Commissioner may disclose breach records and reports to law enforcement or the Public Prosecution Service of Canada  for investigation and prosecution.
  • Records of Breaches. Organizations must keep and maintain records of any breaches of security safeguards and provide those records to the Commissioner on request.
  • Altered the Test for Breach Reporting. The test for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada in Bill C-12 involved an analysis of whether the breach was “material” having regard to a non-exhaustive list of factors. The government has changed its approach and adopted a test that appears to be based on the test in Alberta — that is, an organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. The listed factors for what constitutes a real risk of significant harm (sensitivity of the personal information and probability of misuse) are the same as for a “material breach” under C-12, but the factors also include the possibility of additional prescribed criteria.
  • Confidentiality of Breach Reports and Records. Unlike Alberta, the Commissioner to make a disclosure of breach reports and records for prosecution, these reports will remain confidential. In Alberta, the Commissioner must make a breach notification order. If the order requires individual notification, it is always public.
  • Compliance Agreements. The government is granting the Commissioner additional powers to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfil the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement. This resolves an enforcement conundrum that the Commissioner previously because of limitation periods on seeking court orders following the conclusion of an investigation. This provision will significantly enhance the jurisdiction of the Commissioner provided that organizations determine that it is better to enter into agreements than to start to litigated. It is important to note that compliance agreement does not provide immunity to the organization from an action by an individual for compensation or from prosecution for an offence.
  • Broadening Regulatory Powers. The government has modernized and broadened the regulatory powers of the Executive Branch. This may result in more flexibility to pass clarifying regulations as issues arise under PIPEDA.

What’s Missing?

  • Gag Order Provisions. It appears that the government has dropped the provisions in Bill C-12 that restricted the ability of organizations to be transparent with individuals when they provided information to law enforcement and other government institutions (even absent a court order).
  • Lawful Authority Clarification. The government also appears to have dropped the provisions clarifying that an organization need not inquire into the lawful authority of law enforcement seeking information without a warrant or production order and has also dropped the provisions clarifying the meaning of lawful authority. No doubt the government feels the pending proposed amendments to the Criminal Code granting organizations immunity from voluntarily collecting and disclosing information is sufficient to overcome any lingering doubts of organizations regarding the parameters for responding to pre-warrant requests for information.

What’s largely recycled?

  • Conditions for Valid Consent. The requirement for informed consent has been reintroduced.
  • Work Product Information Exceptions. Exceptions for the collection, use and disclosure of work product information have been reintroduced.
  • Disclosure of Information in a Business Transaction. The provisions in Bill C-12 enacted to facilitate the sharing of personal information in the course of the due diligence process and the completion of business transactions for the purchase and sale of a business have been largely recycled.
  • Business Contact Information. As with Bill C-12, the government has introduced an exemption from the requirement for consent for the collection, use and disclosure of business contact information when used solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. However, the government has tweaked the definition of business contact information. Business contact information is now “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment”, including the usual data elements such as name or title, work address, work telephone number, work fax number or work email address. Previously, the definition began with this list of data elements and ended with a “basket clause”.
  • Financial Abuse Exceptions. Regrettably, the ham-fisted exception for disclosure without consent to deal with the plague of financial abuse (particularly of the elderly) have been reintroduced. The provisions permit disclosure to a government institution (which is not controversial) and also to next of kin or an authorized representative (neither of which is defined) irrespective of the competency of the individual. The government appears to have been deaf to the decades of provincial experience with substitute consent.

Now, the only question is whether the government will fare better getting this Bill passed than it has previously.

,

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

Digital Privacy Act to Reform Canadian Privacy Laws

On Friday, April 4, 2014, the Hon. James Moore, Canadian Minister of Industry, announced the launch of “Digital Canada 150.”

As part of the Digital Canada 150, the Government of Canada intends to introduce a Digital Privacy Act in Parliament this coming week to reform Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Minister’s announcement was short on details. It is expected, however, that the Digital Privacy Act may include some of the following reforms that were previously attempted by the government:

  • Mandatory data breach reporting to the Office of the Privacy Commissioner of Canada and individual breach notification requirements.
  • Clarification that organizations may disclose personal information when requested by police without verifying the lawful authority of the requester to make the request. (This provision was controversial when previously introduced. A different approach has been taken in Bill C-13, which is also before Parliament. That Bill would amend the Criminal Code to provide criminal and civil immunity to organizations that preserve and disclose data to law enforcement agencies, among others.)
  • An exemption that would allow an organization to disclose (without the consent of the individual and whether or not the individual is competent) personal information to the individuals’ next of kin, an authorized representative or law enforcement if the organization had reasonable grounds to believe the individual may be the victim of financial abuse.
  • Exemption from PIPEDA for the collection, use or disclosure of an individual’s business contact information when used for the purposes of communicating with that individual about their business.
  • Clarification that consent is not required for the collection, use and disclosure of employee work product information.
  • Provisions to facilitate the transfer of personal information without the need for consent when selling or acquiring a business.
  • New investigatory provisions for the Commissioner.

It is not clear whether we might also see new order making powers and administrative monetary penalties for egregious breaches of PIPEDA. Although these tools have been previously requested by the Office of the Privacy Commissioner, the government has not acceded to those requests to date.

Privacy law reforms are only one piece of the Digital Canada 150 initiative. A central plank in the Digital Canada 150 strategy is to have high-speed Internet at 5 megabits per second available to 98% of Canadians. The government will inject CAD $300 million to bring that effort to fruition. In addition, the government has announced that it will cap domestic wireless roaming rates. The government will continue to pursue passage of laws relating to cyberbullying and the regulation of virtual currency that have already been introduced into Parliament.

For our international readers, an explanation might be required as to why the government is branding its initiative “Digital Canada 150″. This is a reference to the 150th anniversary of the founding of Canada through Confederation in 1867. The building of a transcontinental rail road is a central theme in the history of nation-building in Canada. Under Confederation in 1867, two of Canada’s Maritime provinces were promised railway links to Ontario and Quebec. When British Columbia (on the far west coast) joined in 1871, there was a condition that the railway be completed across the continent. Evidently, what the rail road was to the history of Canada, the government believes high speed broadband will be to the future.

Digital Privacy Act to Reform Canadian Privacy Laws

Shortened Grace Period for Canadian Telemarketers

On March 31, 2014, the Canadian Radio-television and Telecommunications Commission issued  a new Compliance and Regulatory Policy Notice (CRTC 2014-155).

Among other things, the CRTC has shortened the period of time for organizations to update their internal do-not-call lists. Under the new rules, internal lists must be updated within 14 days of receiving a do-not-call request. Currently, telemarketers have 31 days to update their internal lists. The new rule will be effective June 30, 2014.

The CRTC rejected an application by the Canadian Marketing Association to permit telemarketing by automated dialing announcing device (ADAD) when there is an existing business relationship between the telemarketer or client of the telemarketer and the the person being called. The current rule, which has been preserved, requires express consent to these types of marketing calls. If consent has been given and a ADAD call is placed, the telemarketer must announce the purpose of the call at the beginning of the message.

A press release summarizing the CRTC’s Compliance and Regulatory Policy Notice can be found here.

,

Shortened Grace Period for Canadian Telemarketers

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

The Office of the Privacy Commissioner of Canada has released its Report of Findings from a year-long investigation into a significant incident involving the loss of personal data at the former Ministry of Human Resources and Skills Development Canada (HRSDC).

In late 2012, an employee of HRSDC discovered the loss of an external hard drive containing the personal information of 583,000 Canada student loan borrowers, and 250 employees. The external hard drive was a 1 terabyte external drive that was being used to backup information prior to the migration of information on HRSDC’s network. According to the Report of Findings, the backup was unnecessary to the migration but was conducted as a risk mitigation measure.

However, this “work around” created significant risks for HRSDC. Remarkably, the drive was not encrypted or even password protected. Nor was the drive inventoried by serial number. The drive was not stored in a vault. Instead, the hard drive was stored frequently but not always in a lockable filing cabinet located in an employee’s cubicle, in an envelope, hidden under suspended files.

Although HRSDC had many sound policies, there were significant gaps in practices. Among the notable observations and recommendations in the report and accompanying guidance are:

  • Privacy impact assessments and threat risk assessments are critical elements of an accountability framework. They should be conducted for the use of portable storage devices.

  • Portable storage devices should only be used as a last resort for the storage or transfer of personal information. They should not be used as permanent storage.

  • Portable storage devices used for personal information should be protected by strong technological safeguards, such as encryption.

  • Assets, such as portable storage devices, that are used to store personal information should be inventoried, monitored and tracked.

  • Organizations should verify compliance with policies regarding safeguards by periodically conducting security reviews, including physical checks to ensure that the portable storage device is being safeguarded.

  • Organizations should scan networks for unauthorized devices.

One of the issues not addressed in detail in the Report of Findings or the accompanying guidance is the root causes for the use of portable storage devices. In this case, it is not clear that the use of the external hard drive was necessary as a precaution against loss of data. The benefits of subjecting work processes and technologies to a privacy impact assessment or threat risk assessment is that the organization is more likely to examine the privacy and security issues in a systemic way that will reveal the root causes for the use of media such as portable storage devices. For example, are they being used because of a lace of trust or understanding about the migration or back up of data? Is it because remote access is not available or unreliable? Are there IT infrastructure limitations that should be addressed?

The Report of Findings may be found here. A Fact Sheet containing Tips for Federal Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at governmental agencies, it has broader application under the OPC’s Accountability Guidelines released last year in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.

,

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

In the 1980’s the Supreme Court of Canada pre-emptively ended the development of a common law tort of discrimination. The case, Seneca College v. Bhadauria, stands out as one of the lost opportunities in the development of the common law in Canada. The battle lines have re-emerged in the context of the development of Ontario’s new privacy tort – intrusion upon seclusion. How it will play out is yet to be seen.

Bhadauria

Although the cases involving the tort of intrusion upon seclusion do not mention Bhadauria — that case casts a long shadow and is essential reading to understand what is currently at stake for those who seek to advance a common law privacy tort.

In Bhadauria, the plaintiff complained that she had been repeatedly discriminated by the defendant college on the basis of her ethnic origin. She had applied for 10 positions on the teaching staff of the college and had never been granted an interview. Bertha Wilson J.A., writing for a unanimous bench of the Court of Appeal, recognized a new common law tort of discrimination and concluded that the Human Rights Code did not impede or exclude the development of the common law in this area in Ontario.

The college appealed the decision in Bhadauria to the Supreme Court of Canada with leave of that court. Chief Justice Laskin, writing for the court, concluded that the Human Rights Code was comprehensive legislation providing for a complaint procedure, a board of inquiry and judicial scrutiny. Laskin C.J. concluded that the Human Rights Code had – for better or worse – overtaken the development of the common law and foreclosed any development of the tort based on the anti-discrimination policy underlying the Human Rights Code. There ended the development of the tort of discrimination. Although the Supreme Court was asked to reverse its decision in 2008 in Honda Canada Inc. v. Keays, it did not do so.

Intrusion Upon Seclusion

Fast forward to 2012 and Ontario’s Court of Appeal recognized the tort of intrusion upon seclusion in Jones v. Tsige. In that case the defendant, an employee of the bank, had repeatedly accessed the banking information of the plaintiff who was in a relationship with the defendant’s former husband. The court recognized a new privacy tort and awarded damages for the intrusive behaviour of the defendant.

An open question was whether and how this new tort would fare in the context of Canada’s federal and provincial privacy legislation. The Ontario Court of Appeal made no mention of Bhadauria and the fateful attempt to establish a new tort in that case, although the issue appears to have been on Sharpe J.A.’s mind in his reasons. The defendant argued that privacy was already subject to provincial and federal legislation. However, the court concluded with brief reasons that “it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area” (para. 49).

The court distinguished the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that it applied to “organizations” and not an individual tortfeasor. The plaintiff’s recourse would have been to make a complaint against her own employer rather than the culpable person. Moreover, PIPEDA did not speak to the existence of a civil cause of action in Ontario. The Ontario Freedom of Information and Protection of Privacy Act addressed the practices of governments and public institutions and was not applicable.

Personal Health Information – Another Frontier

However, whether the tort could apply in other contexts was not entirely put to rest. There remained an open question whether the tort could apply in respect of conduct or events that might be the subject of a complaint under Ontario’s Personal Health Information Protection Act (“PHIPA”). This issue arose last month in the case of Hopkins v. Kay. The case involved the alleged the improper access of personal health records of 280 patients of a hospital without consent of the patients.

The hospital brought a motion to strike the claim based on the new tort on the basis that PHIPA covered the field. The hospital might have had the better argument based on Bhadauria. Complaints could be made to the Information and Privacy Commissioner of Ontario who has broad administrative and enforcement powers under PHIPA. Once the Commissioner made an order that had become final, a person affected by the order could commence a proceeding in the Superior Court of Justice for damages for actual harm that the person suffered as a result of a contravention of PHIPA. Damages are limited to $10,000 for mental anguish and there is an immunity provision to protect health information custodians and their agents from any action that seeks damages for acts or omission that have been made in good faith and that are reasonable in the circumstances.

Nevertheless, the motions judge refused to strike out the pleading finding that it was not so plaint and obvious that the claim was doomed to fail on the basis that PHIPA covered the field. The motions judge held “[i]f the position of the Hospital is to be sustained, it will require a decision of the Court of Appeal, which […] determines that there is no claim for breach of privacy and that the claim must rest on the provisions of PHIPA.”

The battle is clearly not over.

, ,

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now