1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

On April 8, 2014, Canada’s government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 is the federal government’s latest attempt to reform the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). It would be a mistake to say that it is largely recycled from the government’s last attempt to reform PIPEDA in 2011 through Bill C-12, which died on the order paper. Here’s what’s different, what’s been dropped, and what seems to be largely the same. Caveat: This is a first read!

What’s different?

  • Fines for Failure to Record and Report Breaches. First the big news: The government is proposing that it would be a criminal offence for an organization to knowingly fails to keep prescribed records for breaches (see below) or to knowingly fail to report breaches in compliance with PIPEDA (also below). These offences would be punishable by fines of CAD$100,000 (indictable offence) and CAD $10,000 (summary conviction). To facilitate this provision, the Commissioner may disclose breach records and reports to law enforcement or the Public Prosecution Service of Canada  for investigation and prosecution.
  • Records of Breaches. Organizations must keep and maintain records of any breaches of security safeguards and provide those records to the Commissioner on request.
  • Altered the Test for Breach Reporting. The test for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada in Bill C-12 involved an analysis of whether the breach was “material” having regard to a non-exhaustive list of factors. The government has changed its approach and adopted a test that appears to be based on the test in Alberta — that is, an organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. The listed factors for what constitutes a real risk of significant harm (sensitivity of the personal information and probability of misuse) are the same as for a “material breach” under C-12, but the factors also include the possibility of additional prescribed criteria.
  • Confidentiality of Breach Reports and Records. Unlike Alberta, the Commissioner to make a disclosure of breach reports and records for prosecution, these reports will remain confidential. In Alberta, the Commissioner must make a breach notification order. If the order requires individual notification, it is always public.
  • Compliance Agreements. The government is granting the Commissioner additional powers to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfil the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement. This resolves an enforcement conundrum that the Commissioner previously because of limitation periods on seeking court orders following the conclusion of an investigation. This provision will significantly enhance the jurisdiction of the Commissioner provided that organizations determine that it is better to enter into agreements than to start to litigated. It is important to note that compliance agreement does not provide immunity to the organization from an action by an individual for compensation or from prosecution for an offence.
  • Broadening Regulatory Powers. The government has modernized and broadened the regulatory powers of the Executive Branch. This may result in more flexibility to pass clarifying regulations as issues arise under PIPEDA.

What’s Missing?

  • Gag Order Provisions. It appears that the government has dropped the provisions in Bill C-12 that restricted the ability of organizations to be transparent with individuals when they provided information to law enforcement and other government institutions (even absent a court order).
  • Lawful Authority Clarification. The government also appears to have dropped the provisions clarifying that an organization need not inquire into the lawful authority of law enforcement seeking information without a warrant or production order and has also dropped the provisions clarifying the meaning of lawful authority. No doubt the government feels the pending proposed amendments to the Criminal Code granting organizations immunity from voluntarily collecting and disclosing information is sufficient to overcome any lingering doubts of organizations regarding the parameters for responding to pre-warrant requests for information.

What’s largely recycled?

  • Conditions for Valid Consent. The requirement for informed consent has been reintroduced.
  • Work Product Information Exceptions. Exceptions for the collection, use and disclosure of work product information have been reintroduced.
  • Disclosure of Information in a Business Transaction. The provisions in Bill C-12 enacted to facilitate the sharing of personal information in the course of the due diligence process and the completion of business transactions for the purchase and sale of a business have been largely recycled.
  • Business Contact Information. As with Bill C-12, the government has introduced an exemption from the requirement for consent for the collection, use and disclosure of business contact information when used solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. However, the government has tweaked the definition of business contact information. Business contact information is now “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment”, including the usual data elements such as name or title, work address, work telephone number, work fax number or work email address. Previously, the definition began with this list of data elements and ended with a “basket clause”.
  • Financial Abuse Exceptions. Regrettably, the ham-fisted exception for disclosure without consent to deal with the plague of financial abuse (particularly of the elderly) have been reintroduced. The provisions permit disclosure to a government institution (which is not controversial) and also to next of kin or an authorized representative (neither of which is defined) irrespective of the competency of the individual. The government appears to have been deaf to the decades of provincial experience with substitute consent.

Now, the only question is whether the government will fare better getting this Bill passed than it has previously.

,

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

Digital Privacy Act to Reform Canadian Privacy Laws

On Friday, April 4, 2014, the Hon. James Moore, Canadian Minister of Industry, announced the launch of “Digital Canada 150.”

As part of the Digital Canada 150, the Government of Canada intends to introduce a Digital Privacy Act in Parliament this coming week to reform Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Minister’s announcement was short on details. It is expected, however, that the Digital Privacy Act may include some of the following reforms that were previously attempted by the government:

  • Mandatory data breach reporting to the Office of the Privacy Commissioner of Canada and individual breach notification requirements.
  • Clarification that organizations may disclose personal information when requested by police without verifying the lawful authority of the requester to make the request. (This provision was controversial when previously introduced. A different approach has been taken in Bill C-13, which is also before Parliament. That Bill would amend the Criminal Code to provide criminal and civil immunity to organizations that preserve and disclose data to law enforcement agencies, among others.)
  • An exemption that would allow an organization to disclose (without the consent of the individual and whether or not the individual is competent) personal information to the individuals’ next of kin, an authorized representative or law enforcement if the organization had reasonable grounds to believe the individual may be the victim of financial abuse.
  • Exemption from PIPEDA for the collection, use or disclosure of an individual’s business contact information when used for the purposes of communicating with that individual about their business.
  • Clarification that consent is not required for the collection, use and disclosure of employee work product information.
  • Provisions to facilitate the transfer of personal information without the need for consent when selling or acquiring a business.
  • New investigatory provisions for the Commissioner.

It is not clear whether we might also see new order making powers and administrative monetary penalties for egregious breaches of PIPEDA. Although these tools have been previously requested by the Office of the Privacy Commissioner, the government has not acceded to those requests to date.

Privacy law reforms are only one piece of the Digital Canada 150 initiative. A central plank in the Digital Canada 150 strategy is to have high-speed Internet at 5 megabits per second available to 98% of Canadians. The government will inject CAD $300 million to bring that effort to fruition. In addition, the government has announced that it will cap domestic wireless roaming rates. The government will continue to pursue passage of laws relating to cyberbullying and the regulation of virtual currency that have already been introduced into Parliament.

For our international readers, an explanation might be required as to why the government is branding its initiative “Digital Canada 150″. This is a reference to the 150th anniversary of the founding of Canada through Confederation in 1867. The building of a transcontinental rail road is a central theme in the history of nation-building in Canada. Under Confederation in 1867, two of Canada’s Maritime provinces were promised railway links to Ontario and Quebec. When British Columbia (on the far west coast) joined in 1871, there was a condition that the railway be completed across the continent. Evidently, what the rail road was to the history of Canada, the government believes high speed broadband will be to the future.

Digital Privacy Act to Reform Canadian Privacy Laws

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

The Office of the Privacy Commissioner of Canada has released its Report of Findings from a year-long investigation into a significant incident involving the loss of personal data at the former Ministry of Human Resources and Skills Development Canada (HRSDC).

In late 2012, an employee of HRSDC discovered the loss of an external hard drive containing the personal information of 583,000 Canada student loan borrowers, and 250 employees. The external hard drive was a 1 terabyte external drive that was being used to backup information prior to the migration of information on HRSDC’s network. According to the Report of Findings, the backup was unnecessary to the migration but was conducted as a risk mitigation measure.

However, this “work around” created significant risks for HRSDC. Remarkably, the drive was not encrypted or even password protected. Nor was the drive inventoried by serial number. The drive was not stored in a vault. Instead, the hard drive was stored frequently but not always in a lockable filing cabinet located in an employee’s cubicle, in an envelope, hidden under suspended files.

Although HRSDC had many sound policies, there were significant gaps in practices. Among the notable observations and recommendations in the report and accompanying guidance are:

  • Privacy impact assessments and threat risk assessments are critical elements of an accountability framework. They should be conducted for the use of portable storage devices.

  • Portable storage devices should only be used as a last resort for the storage or transfer of personal information. They should not be used as permanent storage.

  • Portable storage devices used for personal information should be protected by strong technological safeguards, such as encryption.

  • Assets, such as portable storage devices, that are used to store personal information should be inventoried, monitored and tracked.

  • Organizations should verify compliance with policies regarding safeguards by periodically conducting security reviews, including physical checks to ensure that the portable storage device is being safeguarded.

  • Organizations should scan networks for unauthorized devices.

One of the issues not addressed in detail in the Report of Findings or the accompanying guidance is the root causes for the use of portable storage devices. In this case, it is not clear that the use of the external hard drive was necessary as a precaution against loss of data. The benefits of subjecting work processes and technologies to a privacy impact assessment or threat risk assessment is that the organization is more likely to examine the privacy and security issues in a systemic way that will reveal the root causes for the use of media such as portable storage devices. For example, are they being used because of a lace of trust or understanding about the migration or back up of data? Is it because remote access is not available or unreliable? Are there IT infrastructure limitations that should be addressed?

The Report of Findings may be found here. A Fact Sheet containing Tips for Federal Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at governmental agencies, it has broader application under the OPC’s Accountability Guidelines released last year in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.

,

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

The Supreme Court’s recent rejection of Class Action Fairness Act (“CAFA”) jurisdiction in parens patriae suits (suits brought by state attorneys general on behalf of the state or state’s citizens in general) will likely increase the filing of such suits asserting claims and rights of individual citizens of the state, including for monetary damages.  Such lawsuits—which are often prosecuted by private class counsel pursuant to contingency fee retainer agreements with the state attorney general—are becoming a more and more common method to avoid the impact of CAFA and recent pro-defendant class action rulings by the Supreme Court under the federal class action rule.

The Mississippi v. AU Optronics Corp. case decided by the Supreme Court involved claims filed by the state attorney general (through private retained counsel pursuant to a contingency-fee agreement) alleging price fixing in the liquid crystal display (LCD) market.  Those claims largely mirrored the claims made in a private class action that was settled by the defendants in a series of agreements for a total of approximately $1.1 billion (a settlement reached after more than 100 putative private class actions were filed asserting essentially the same claims against various groups of defendants).  The Mississippi suit sought money damages in the form of restitution based on the same purchases that would have been covered (and released) by the private class action settlements.

Given the increase of high-profile data breaches, it is likely that these “parens patriae” suits will expand into the privacy realm.  A coalition of state attorneys general have already formed to investigate the recent Target breach.  Additionally, the parens patriae loophole to CAFA may ultimately allow private class attorneys to bring data breach damages claims in state court thus not only allowing the litigation to remain in what class counsel may view as a more plaintiff-friendly jurisdiction, but also potentially avoiding the biggest obstacle to such suits thus far—federal decisions dismissing such cases based on a lack of an injury-in-fact as required for Article III standing.  Indeed, most legal analysts to discuss customer private class actions against Target have made this very point, a point that may be moot if state attorney generals simply file essentially the same claims as part of a “parens patriae” action.

, ,

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

A Cautionary Tale on Slow Data-Breach Response

California Attorney General Kamala Harris has sued Kaiser Foundation Health Plan over what it considers a too-slow data breach notification.  California’s breach notification law requires notification of affected individuals “in the most expedient time possible and without unreasonable delay.”  Kaiser notified individuals of the breach in March, 2012, but California alleges in its complaint that Kaiser had sufficient information to notify between December 2011 and February 2012.

Story here

,

A Cautionary Tale on Slow Data-Breach Response