April 26, 2024
Volume XIV, Number 117
Home
Legal Analysis. Expertly Written. Quickly Found.
Login

Trending News

Highlights of the Canada Digital Privacy Act 2015
Wednesday, June 24, 2015
Highlights of the Canada Digital Privacy Act 2015
Print Mail Download i

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law.  The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA.  This post summarizes key changes to PIPEDA brought about by the DPA.

Summary of Key Provisions

  • Graduated consent standard.  The DPA introduces a graduated standard some have referred to a “sliding scale” for obtaining valid consents.  The DPA stipulates that an individual’s consent will only be valid “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”  The upshot of this change is that organizations subject to PIPEDA will need to simplify their consent documentation and online terms when receiving data from less sophisticated individuals in order to ensure consents are valid.

  • New consent exceptions.  The DPA also introduces several additional exceptions covering PIPEDA’s consent and knowledge requirements.  Examples of the new exceptions include when personal information is produced by an employee in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced, and when using and disclosing personal information to another organization in connection with a contemplated business transaction, such as a merger or acquisition, provided that the organizations enter into an agreement that ensures that the information will only be used for purposes of the transaction, be subjected to appropriate security safeguards, and returned or destroyed if the transaction does not proceed.  (In the event the contemplated business transaction completes, the DPA makes clear that the information may continue to be used, provided the organizations enter into an agreement containing certain commitments with respect to the information, the information is necessary for continuing the business, and one of the organizations informs the relevant individuals within a reasonable time after completion that their information has been shared.)

  • Data breach notification.  The DPA introduces a new mandatory data breach notification requirement, which applies to organizations subject to PIPEDA when “…any breach of security safeguards involving personal information under [that organization’s] control [occurs,] if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”  If there is a “real risk of significant harm to individuals,” then the requirement also mandates notification to individuals.  Where an organization fails to notify the Commissioner or record a breach, where required to do so, it will be guilty of an offence and liable to be fined up to $100,000 Canadian Dollars.  However, this data breach notification regime will not take effect until the Canadian government issues implementing regulations.  (Any such regulations will not be enacted until a consultation involving stakeholders and the Office of the Privacy Commissioner has taken place.)

  • Expansion of “Business Contact” PIPEDA Exemption.  PIPEDA originally excluded an employee’s “name, title or business address or telephone number” from the definition of “personal information”.  The DPA revises the definition of “personal information” to refer only to “information about an identifiable individual,” and introduces a separate definition of the term “business contact information.”  The DPA also then uses this newly defined term in a specific “business contact” exemption provision, which excludes from PIPEDA use of “business contact information” for the purpose of communicating or facilitating communications with an individual in relation to their employment, business or profession.

  • Powers of the Commissioner.  The DPA also enhances the powers of the Canadian Privacy Commissioner in several respects.  Most significantly, it enables the Commissioner to form “compliance agreements” with organizations that the Commissioner has reasonable grounds may have committed, or is about or likely to commit, a breach of the PIPEDA.  Such agreements may contain any terms the Commissioner deems necessary to ensure compliance, and the Commissioner may go to courts to ensure compliance with the agreement’s terms if needed.

 

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins

 

Logo-white

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC