In an apparent attempt to apply pressure to the government to amend the federal private sector privacy law, New Democrat Digital Issues Critic Charmaine Borg recently introduced a private members bill that would introduce mandatory data breach reporting and provide the Privacy Commissioner of Canada with direct enforcement powers.
The government’s own bill to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in September of 2011, but Bill C-12, as the bill is known, has not moved forward since that time.
The New Democrat bill, known as C-475, differs from C-12 in several important ways.
First, C-475 would require that organizations report data breaches to the Privacy Commissioner, who would then determine whether the organization would be required to notify affected individuals (although organizations would not be precluded from providing such notice). By contrast, Bill C-12 includes a provision that would require organizations to report data breaches to the Privacy Commissioner, as well as to notify affected individuals in certain circumstances.
Bill C-475 also contemplates what appear to be lower standards for the types of breaches that require reporting, or with respect to which the Privacy Commissioner may require notification of affected individuals, likely resulting in more reports and notifications than under the government bill.
In this regard, Bill C-12 requires organizations to report material breaches of security safeguards involving personal information; Bill C-475 requires organizations to notify the Privacy Commissioner where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the breach. With respect to notification of affected individuals, Bill C-12 would require organizations to notify an individual where it is reasonable to conclude that the breach creates a real risk of significant harm to the individual; Bill C-475 would provide that the Privacy Commissioner may require an organization to notify affected individuals to whom there is “an appreciable risk of harm” as a result of the breach.
Bill C-475 would also provide the Privacy Commissioner with new enforcement powers respecting compliance with PIPEDA as a whole, including the ability to issue orders requiring organizations to take corrective action to come into compliance with the law and to publish notices of any such action taken or proposed to be taken. The Bill would also provide the Privacy Commissioner with the ability to seek from the Federal Court penalties of up to $500,000 against organizations that do not comply with orders issued by the Commissioner.
The Bill would also create a private right of action whereby individuals affected by any violation of PIPEDA that was made the subject of a Privacy Commissioner order may seek damages for losses suffered as a result of the non-compliance.
At the same time, the New Democrat bill omits several important business-friendly reforms contained in the government bill, including a clearer and more expansive carve out for business contact information and a prospective business transaction exception that would allow businesses to disclose personal information without consent in the context of certain transactions, including mergers, acquisitions and financing.