Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been amended by The Digital Privacy Act (the DPA). DPA updates PIPEDA and modernizes Canadian data privacy and security law. DPA is now largely in force, except for certain provisions, which will come into force at a later date by order of the Governor in Council. The key amendments include mandatory breach notification and enhanced consent requirements.
Security Breach notification. Under the DPA amendments, Canada now requires organizations to notify affected individuals and the Privacy Commissioner of Canada if their personal information is lost or stolen and the theft or loss creates a “real risk of significant harm.” “Significant harm” is defined as including, among other harms, financial harm, humiliation, damage to reputation or relationships and identity theft. Organizations must consider the sensitivity of the information, the probability of misuse, and any other prescribed factors when determining whether a real risk exists. Records of data breaches must be maintained and produced by an organization upon the Commissioner’s request. Once the accompanying regulations are finalized and adopted, the breach notification provisions will become effective. Before the adoption of DPA, data breach notifications were voluntary. The number of data breach notices in Canada is expected to increase as a result of this new requirement, as only Alberta currently requires breach notification. In the United States, we saw the visibility of data security rise with the adoption of state breach notification laws which resulted in people receiving multiple notices of a breach suffered by organizations.
Valid Consent Requirements and Exceptions. A second significant amendment to PIPEDA is the requirement to obtain a “valid consent” to collect, use or disclosure personal information. The pre-DPA rules required consent of an individual to be “reasonably understandable by the individual.” Now, under the DPA amendment, for the consent to be valid, it must be “reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclose the personal information to which they are consenting.” DPA also includes several new exceptions to the consent requirement, such as expanded rights of a company to collect, use and disclose personal information as part of a merger or M&A transaction.
Organizations should review and as appropriate update their template consent forms. However, there is ongoing and unanswered discussion in the business community about the effect of the DPA consent requirement on the validity of consents obtained prior to DPA’s adoption. Of particular concern is whether pre-DPA consents must be redone, at least in cases of certain sub-groups such as children or senior citizens where there is a concern about whether the group members understand the consequences of giving consent as required by the regulation.
One unanswered question is whether the Canadian Privacy Commissioner will require the consents under DPA to be bilingual to be valid. The Commissioner on several occasions advocated for bilingual privacy policies and related documents. This prior advocacy suggests that dual language requirements for consents could be required. The answer may hinge on whether a bilingual consent would aid an individual’s understanding of why their personal information was being collected and/or disclosed.