CANADA: Government introduces two bills

On May 25, the government of Canada introduced into the House of Commons two bills to enhance the safety and security of Canadians’ personal information and the online marketplace.

Bill C-29, the

(SPCIA) amends the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal legislation that governs the collection, use and disclosure of personal information by organizations. These amendments are the culmination of the first statutory review of PIPEDA, which commenced, as required, in 2006 and resulted in an extensive report issued in May 2007 by a committee of the House of Commons containing 25 recommendations for consideration by the government.

The government also reintroduced its anti-spam legislation. The original legislation, Bill C-27, the

, had been passed by the House of Commons and was undergoing a review by a senate committee when Parliament was prorogued in December 2009. The new legislation—Bill C-28—enacts the

(FISA) and substantially reflects the original bill passed by the House of Commons with some additional technical amendments.

The most significant amendment to PIPEDA is a requirement for breach notification. Organizations that experience a security breach involving personal information must report “material” breaches to the federal privacy commissioner. Materiality is determined by the organization by considering the sensitivity of the personal information involved, the number individuals affected and if the cause of the breach indicates a systemic problem.

Organizations must also notify affected individuals after a breach if the organization determines that it is “reasonable in the circumstances” to believe the breach creates a “real risk of significant harm” to the individual. Factors to consider in determining if a real risk of significant harm exists include the sensitivity of the personal information and the probability that the information has been, is being or will be misused.

Organizations may also notify other organizations or government institutions if that organization or institution may be able to reduce the risk of harm or mitigate any harm arising from the breach.

A new section has been added to PIPEDA to address the use and disclosure of PI without knowledge and consent for the purpose of a business transaction, such as a merger or acquisition. Organizations considering such a transaction must enter into an agreement that requires the organization that receives the personal information to use that information only for purposes related to the transaction, provide adequate safeguards and return the personal information if the business transaction does not proceed.

To address concerns relating to the collection, use and disclosure of the personal information of children, Bill C-29 adds a specific clause to PIPEDA dealing with the validity of consent. A new section provides that the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting.

Bill C-29 also includes a number of amendments relating to disclosure of personal information without consent.  For example, disclosure without consent of the individual will be permitted if the disclosure is made to another organization and the disclosure is necessary to investigate a breach of an agreement or a contravention of the laws of Canada, or to prevent, detect or suppress fraud.  Disclosure of personal information without consent is also permitted where the disclosure is made to a government institution or an individual’s next of kin or authorized representative and the organization has reasonable grounds to believe the individual has been, is or may be the victim of financial abuse.

Where an organization discloses personal information to a government institution who has lawful authority to request the information, organizations are not required to verify the validity of that lawful authority.

The purpose of FISA is to promote the efficiency and adaptability of the Canadian economy by regulating activities that discourage the use of electronic means to carry out commercial activities.

Bill C-28 prohibits the sending of commercial electronic messages without the prior express or implied consent of the recipient. When seeking consent, organizations must set out clearly and simply the purpose for which the consent is being sought, information that identifies the person seeking consent, any other prescribed information and the function, purpose and impact of every computer program that is to be installed. Each commercial electronic message must identify the person who sent the message, include an unsubscribe mechanism which must enable the person to indicate, using the same electronic means by which the message was sent, that they do not wish to receive any further such messages, and specify an e-mail to which an opt out may be sent or provide a hyperlink where an opt out can be registered.

FISA also prohibits other practices such as the:

Bill C-28 includes coordinating amendments to the Competition Act and PIPEDA. The Canadian Radio-Television and Telecommunications Commission (CRTC) can impose monetary penalties for violations with maximum penalties in the case of an individual of $1,000,000, and in the case of organizations of $10,000,000. A private right of action enables a person affected by a contravention to obtain an amount equal to the actual amount of the loss or damage suffered or expenses incurred and statutory damages of up to $1,000,000 per day or per contravention depending on the nature of the violation.