The federal government’s long awaited introduction of a bill to amend the Personal Information Protection and Electronic Documents Act is a constructive step forward in keeping Canada’s private-sector privacy legislation up to date and responsive to the exigencies of technology and the modern marketplace.
Furthermore, the proposed amendments build into the legislation several provisions that were recognized as omissions when the law was first enacted.
An example is found in the exemptions from the consent requirements for sale-of-business transactions involving a transfer of assets. Under the current law, an asset sale that includes personal information, such as customer lists or employee data, requires the consent of all affected individuals to the transfer of their personal information. In contrast, a sale transaction effected by transfer of shares — where no specific assets are transferred — does not require consent. This imbalance within the law in addressing, in essence, the same transactions, has required some legal gymnastics as well as some stretching of concepts, such as implied consent, albeit with the tacit approval of the federal Office of the Privacy Commissioner.
The model for sale-of-business transactions adopted in the PIPEDA amendments is essentially the same as that in Alberta’s and British Columbia’s personal information protection acts, which provide for an exception for both due diligence disclosure in advance of a sale transaction, and the transfer of personal information on closing.
The alignment of PIPEDA’s consent rules with the Alberta and British Columbia acts is also evident in other aspects of the proposed amendments. For example, the amending bill introduces another exception to the consent requirements — for the collection, use, or disclosure of personal information of employees of an organization if that collection, use, or disclosure was necessary for establishing, managing, or terminating the employment relationship and the employee has been given notice that such information will be collected, used, or disclosed for those purposes. This exception substantially tracks the similar rule found in the provincial acts.
This alignment of approaches between the to-be-amended PIPEDA and the recently amended Alberta act is not as evident when one examines the proposed rules for what is arguably the most significant change reflected in the amendments, the “breach notification” provision.
It has been speculated that Alberta’s amendments — which were passed by the legislature last November and came into force May 1 — may have pushed Ottawa into moving on the PIPEDA amendments. Certainly, the Alberta legislature has made its mark by enacting the first mandatory breach notification rule in any of the Canadian private-sector privacy laws (federal or provincial), apart from the requirement specific to personal health information contained in Ontario’s Personal Health Information Protection Act, 2004.
To put this development in context, it should be recalled that in the United States, which has no generally applicable privacy law at either the federal or state levels, the great majority of state governments adopted breach notification rules several years ago. Furthermore, breach notification has been acknowledged as the single most important amendment required for PIPEDA, from the time when the federal Ministry of Industry commencing in 2005 and later, in 2007, the Commons standing committee on access to information, privacy, and ethics considered and made recommendations for amendments to the act.
The fact that it has taken another three years to introduce the amending bill is an unfortunate reflection of the state of our current parliamentary process.
All this being said, it is significant that the proposed breach notification rules have been set forth — albeit they are not yet law — since all stakeholders (consumers, organizations, regulators) may now begin establishing processes and laying down expectations consistent with the anticipated framework.
Furthermore, the proposed model for breach notification is well thought-out, reflective of the careful and considered consultations that it has had both within the government and from outside stakeholders. It is unfortunate, however, that tabling of the model did not occur until after the new Alberta rule was enacted, since there are some significant differences that might have been avoided if the proposed federal rules had been known.
The main differences between the PIPEDA and the Alberta breach models focus on two key aspects: the threshold for reporting and the role of the regulator (i.e. a privacy commissioner).
All commentators who have considered the possible options for a breach notification model have recognized as necessary that there be a minimum criterion for requiring a report to a regulator as and that the circumstances requiring notification of affected individuals be set out. It is also acknowledged that, notwithstanding any mandatory threshold for either reporting or notification, an organization that has suffered a breach may determine independently, based on its own internal protocols, that it will report and/or notify.
The PIPEDA amendments propose only “material” breaches must be reported to the privacy commissioner. Materiality is defined, non-exhaustively, to include: the sensitivity of the compromised personal information; the number of individuals affected; and whether the breach may be indicative of a systemic problem. Using these criteria as a minimum, an organization must determine whether it is required to report the breach.
The significance of setting the criteria for reporting is that clearly not every breach will require a public regulator’s time and resources to monitor and, if necessary, to intervene and guide the process. Alberta’s act recognizes this tenet but stipulates a differently stated criterion: if there is a reasonable risk of significant harm to even one individual, a report must be made to the commissioner. By contrast, the PIPEDA approach does not necessarily require reporting in such a circumstance, but instead, looks to the extent of impact of the breach — including the potential risk to individuals.
The focus on “harm to even one individual” in the Alberta approach is reflective of the other major distinction vis-a-vis the proposed PIPEDA rule. Under the Alberta rule, the commissioner, having received a report of a breach, must then determine whether the organization is required to notify affected individuals. In other words, the commissioner’s office will perform a “gatekeeping” function.
By contrast, the PIPEDA rule sets out a separate criterion for the organization to determine whether notification is required. Significantly, this criterion is very similar to Alberta’s criterion for reporting: if it is reasonable in the circumstances that the breach creates a “real risk of significant harm to the individual,” notice must be given.
Of note is that this criterion applies even if a report to the regulator is not required — under the different criteria applicable to that determination.
While in many cases the result in terms of notification to individuals may be the same whether an organization is governed by PIPEDA or by Alberta’s legislation (or both), the differences in approach are evident: PIPEDA will require an assessment of several factors before a positive decision to report is made, whereas in Alberta, if even one individual faces a “real risk” of significant harm, a report is required. However, whether or not a report is made to the commissioner, PIPEDA will require notification of an individual who faces such a risk.
In Alberta, the commissioner will make that determination — arguably a more hands-on approach. There, the ultimate decision of whether notification is required is left to the regulator, effectively requiring that office to review all breaches where a significant risk of harm is posed.
One hopes that this added burden placed on the commissioner’s office will not slow down the critical process of getting notice out to affected individuals, who, in the final analysis, will be the ones who must take appropriate measures to protect themselves from the potential harm caused by a compromise of their personal information.
David Young is co-chairman of Lang Michener LLP’s privacy law group in Toronto.