Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind
June 19, 2015
- PIPEDA has been amended to clarify that an individual’s consent is only valid if it is reasonable to expect that the individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which he/she is consenting.
- PIPEDA now contains a “business transaction” exemption that will allow organizations to use and disclose personal information without consent in connection with mergers, acquisitions, financings, etc. (both during due diligence and post-closing), provided certain conditions are met.
- Business contact information is no longer excluded from the definition of personal information. However, PIPEDA’s provisions dealing with personal information will not apply to the collection, use and disclosure of business contact information by an organization solely for the purpose of communicating or facilitating communication with an individual about his/her employment, business or profession. Importantly, “business contact information” is given a broad definition and includes business email addresses, which was not previously excluded from the definition of personal information under PIPEDA. Notwithstanding this exemption, organizations should be aware that email communications must comply with requirements under Canada’s Anti-Spam Legislation (see our December 2013 Blakes Bulletin: The Waiting Game Is Over: Canada’s Anti-Spam Legislation Will Change the E-Communication Landscape).
- The Privacy Commissioner of Canada (Commissioner) now has the power to enter into a compliance agreement with an organization if the Commissioner believes, on reasonable grounds, that the organization has committed, is about to commit or is likely to commit a breach of PIPEDA. A compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance under PIPEDA. Failure to abide by the terms of a compliance agreement allows the Commissioner to apply to the Federal Court for certain remedies, including an order requiring compliance, or a hearing.
- There are now several new exceptions from PIPEDA’s consent requirement, including:
- Information that was produced by an individual in the course of his/her employment, business or profession may be collected, used and disclosed without consent provided the collection, use or disclosure is consistent with the purposes for which the information was produced (a so-called “work product” exemption).
- Organizations may disclose personal information to other organizations without consent where disclosure is reasonable for the purposes of investigating a breach of an agreement or contravention of the laws of Canada or a province, or for the purposes of detecting, suppressing or preventing fraud, provided that in either case it is reasonable to expect that disclosure with consent would compromise the investigation or ability to detect, suppress or prevent the fraud, as applicable.
- Information contained in a witness statement may be collected, used and disclosed without consent provided the collection, use or disclosure is necessary to assess, process or settle an insurance claim.
NOT YET IN FORCE
Posted in: Privacy
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue.
We would be pleased to provide additional details or advice about specific situations if desired.
For permission to reprint articles, please contact the Blakes Client Relations & Marketing Department at firstname.lastname@example.org. © 2019 Blake, Cassels & Graydon LLP