In the News: Bill S-4, the Digital Privacy Act

May 13, 2015

Overview

The Digital Privacy Act, otherwise known as Bill S-4, is an act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The proposed amendments follow the 2007 statutory review of PIPEDA by the Standing Committee on Access to Information, Privacy and Ethics. [1] The Bill was reported by the Standing Committee on Industry, Science and Technology on April 22, 2015.

The Bill has been promoted by the government as a means of providing protection for Canadians online. It amends PIPEDA by specifying the nature of consent required for the collection use or disclosure of personal information and conversely, by permitting the collection use and disclosure of personal information without consent under certain circumstances. It also sets out parameters for organizations to follow if they have suffered a security breach.

 

Summary

The following is a more detailed description of the Bill’s proposed amendments:

It specifies what is required for valid consent for the collection, use or disclosure of personal information;

  • It permits the disclosure of personal information without the knowledge or consent of an individual under various circumstances which include:
    • identifying an injured, ill or deceased individual and communicating with their next of kin,
    • preventing, detecting or suppressing fraud, or
    • protecting victims of financial abuse;
  • It permits organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
    • contained in witness statements related to insurance claims, or
    • produced by the individual in the course of their employment, business or profession;
  • It permits organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
  • It permits federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
  • It requires organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a “real risk of significant harm” and to report them to the Privacy Commissioner;
  • It requires organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
  • It creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards including a fine of up to $100,000 for failing to comply;
  • It extends the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
  • It provides that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
  • It modifies the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so. [2] 

 

Comments & Criticisms

 Disclosure

While an update to PIPEDA is strongly welcomed, the current proposal raises very real concerns for privacy advocates. In particular, the proposed amendments to section 7(3) have been heavily contested. In his submissions to the Standing Committee on Industry, Science and Technology, Michael Geist, Canada Research Chair in Internet and E-Commerce submitted that:

Bill S-4 expands the possibility of personal information disclosure…without the knowledge or consent of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation). [3]

The investigative exception proposed by Bill S-4 places organizations in a position to decide when it is appropriate to disclose customer information to other organizations or law enforcement agencies. Privacy proponents are concerned about the level of authority this provides organizations such as ISPs, “who lack the capacity, expertise and legitimacy to properly assess the legal claim of a third party” and the possibility that these changes may lead to fishing expeditions by copyright holders and others seeking to advance litigation.[4]  These amendments run counter to the spirit of the recent Supreme Court of Canada decision in R v. Spencer, which ruled that Canadians have a reasonable expectation of privacy. It is recommended that reasonable controls be added to the proposed wording.” [5]

Also commenting on this issue, the Federal Privacy Commissioner (“Commissioner”) has stated that: 

These proposed amendments permit disclosures based on a lower threshold (“reasonable for the purpose” of investigating a breach of an agreement or a contravention of a law rather than “reasonable grounds to believe” that the information relates to a breach or contravention) and for a broader range of purposes (including “to prevent, detect or suppress” fraud).[6]

The Commissioner cautions that this new provision may open the door to widespread disclosure and routine sharing of information about individuals merely on suspicion as opposed to real evidence. He recommends more transparency and accountability between organizations such that organizations be required to report publicly the number of disclosures made and the types of organizations the disclosures were made to as well as the analysis undertaken in deciding to disclose information. This recommendation is also made by Michael Geist who reports that over 1 million requests and 750,000 disclosures of personal information were made last year– the majority without court oversight or warrant. [7]

 Security Breach Notification

The proposed Bill is applauded for the addition of a requirement to inform customers where there has been a privacy breach that leads to a risk of “significant harm”. However, this threshold is also seen by some critics as too high, and question whether customers should be told about breaches that may cause a lower level of harm as well. This is particularly the case because it is likely that many organizations will not have the knowledge or ability to conduct an assessment of potential harm; in particular, smaller organizations likely will not have a designated privacy officer and may not be able to effectively conduct these evaluations. [8] 

 

[1] Barry Sookman, Digital Privacy Act: Important work still to be done by the INDU Committee: http://www.barrysookman.com/2014/11/10/digital-privacy-act-important-work-still-to-be-done-by-the-indu-committee/

[2] Open Parliament, Bill S-4: https://openparliament.ca/bills/41-2/S-4/?tab=mentions&singlepage=1

[3] Michael Geist, Fixing the Digital Privacy Act: My Bill S-4 Appearance Before the Industry Committee: http://www.michaelgeist.ca/2015/03/fixing-digital-privacy-act-bill-s-4-appearance-industry-committee/

[4] Tamir Israel, Response to Follow-Up Questions of the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) on Bill s-4: Digital Privacy Act: https://cippic.ca/uploads/INDU_S4-Followup_Questions.pdf

[5] Michael Geist, Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure:  http://www.michaelgeist.ca/2014/04/s-4-post/

[6] Office of the Privacy Commissioner of Canada, Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act (the Digital Privacy Act), Submission to the Standing Committee on Industry, Science and Technology:  https://www.priv.gc.ca/parl/2015/parl_sub_150212_e.asp

[7] Supra at 3.

[8] Emily Chung, New privacy rules target data breaches, fraud: http://www.cbc.ca/news/technology/new-privacy-rules-target-data-breaches-fraud-1.2604552

 

Additional resources

Want to learn more about Bill S-4 (“The Digital Privacy Act”), but don’t know where to begin? Here’s a list of recent  publications and news articles to get you started.

Parliament’s page on Bill S-4 (An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act).

OpenParliament’s page on Bill S-4 (An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act).

Connolly, Amanda. May 12, 2015. “Government ‘acting in bad faith’ by rushing through Digital Privacy Act: Borg.” iPolitics. 

Anderson, Steve & Meghan Sali. April 2, 2015. “How the Digital Privacy Act S-4 could bring copyright trolls to Canada.” rabble.ca 

Tencer, Daniel. March 12, 2015. “These are the Best (and Worst) Canadian Telecoms for Privacy.” The Huffington Post Canada.

Geist, Michael. March 11, 2015. “Fixing the Digital Privacy Act: My Bill S-4 Appearance Before the Industry Committee.” Michael Geist (blog).

Scholey, Lucy. March 10, 2015. “Privacy bill actually undermines privacy: U of O professor.” Metro. 

Boutilier, Alex. Feb. 5, 2015. “Conservatives open to changing digital privacy bill, but clock is ticking.” Toronto Star. 

Dyer, Evan. Jan. 7, 2015. “Canada backs internet ‘direct democracy’ abroad, but faces questions at home.” CBC.

Sookman, Barry. Nov. 10, 2014. “Digital Privacy Act: Important work still to be done by the INDU Committee.”  Barry Sookman Blog.

Geist, Michael. Nov. 4, 2014. “Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight.” Michael Geist Blog.

Seals, Tara. Oct. 27, 2014. “Canada Mulls Mandatory Breach Notifications.” Infosecurity Magazine.

Solomon, Howard. Oct. 23, 2014. “Privacy Act Goes to Committee.” IT World Syndicated.

Geist, Michael. Oct. 21, 2014. “The Expansion of Personal Information Disclosure Without Consent: Unpacking the Government’s Weak Response to Digital Privacy Act Concerns.” Michael Geist Blog.

Tencer, Danny. Jun. 17, 2014.”Bill S-4 Passes Senate, Despite Supreme Court Ruling Against Warrantless Access.” Huffington Post.

McKiernan, Michael. “Focus: Major increase in warrantless disclosures predicted.” Jun. 2, 2014. Law Times.

CBC Editorial. May 26, 2014. “Privacy pushback: 6 ways your rights could be threatened.” CBC News.

Winnipeg Free Press Editorial. “Digital Privacy at Risk.” May 1, 2014. Winnipeg Free Press.

Drake, Tony. Apr. 1, 2014. “The Trouble with Canada’s Digital Privacy Act.” IT Business.

Geist, Michael. Apr. 10, 2014. “Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure.” Michael Geist Blog.