Sept. 16 --The Canadian government's Sept. 13 decision
to end the Parliament's legislative session has at least temporarily blocked
passage of proposed amendments (Bill C-12) to Canada's framework federal privacy law that
would have introduced a limited mandatory data breach notification
A new parliamentary session is scheduled to start Oct. 16,
and the rules permit the government to reintroduce bills that failed to
complete the parliamentary process in the previous session. But Sébastien
Gariépy, a spokesman for Industry Minister James Moore, told Bloomberg BNA
Sept. 13 that he could not confirm that the amendments to the Personal
Information Protection and Electronic Documents Act (PIPEDA) would be
reintroduced by the Department of Industry.
If reintroduced, it would
be the third time Parliament has seen the measure.
The legislation was
first introduced in May 2010 (9 PVLR 787, 5/31/10). But it died when
Parliament was dissolved for a federal election.
C-12, which was
identical to its predecessor legislation, was reintroduced Sept. 29, 2011, by
Industry Minister Christian Paradis (10 PVLR 1458, 10/10/11).
The national data protection authority, the Office of
the Privacy Commissioner of Canada, never had an opportunity to provide
detailed analysis and comment on Bill C-12, as the legislation never made it
to that point in the parliamentary process, privacy office spokesman Scott
Hutchinson told BNA Sept. 13.
Outgoing Privacy Commissioner Jennifer
Stoddart has been clear that her office's proposals, which were based on a
review of PIPEDA conducted in 2006, are now out of date, Hutchinson said.
“Much has changed as the years have passed, and the Commissioner believes
Canadians need far stronger protections than what is being proposed with
respect to data breaches,” he said. “Our Office would again encourage
parliamentarians to proceed with a second review of PIPEDA. It is our hope
that the government will take these views into account as it plans ahead for
the coming parliamentary session.”
Stoddart, whose term as privacy
commissioner expires in December, continued to stress in her last annual report to the Canadian Parliament on PIPEDA,
published June 6, that the act should be fully reviewed and updated to better
motivate organizations to make privacy a priority (12 PVLR 1217, 7/8/13).
The privacy community and Canadians in general have been pushing for many
years for an updating of PIPEDA, so hopefully the government will give the
proposed amendments even higher priority in the new parliamentary session,
Brian Bowman, a partner with Winnipeg-based Pitblado LLP, told Bloomberg BNA
“I and many others in the privacy community are very eager to
see this move forward as soon as possible,” Bowman, chair of the Canadian Bar
Association's National Privacy and Access Law Section, told Bloomberg BNA. “The
stakes are quite high as far as many of these proposed changes are
Technology continues to evolve at a rapid pace, and
amendments are needed to help PIPEDA catch up to the current environment, he
said. The government's challenge is to find an appropriate balance between
ensuring privacy protection for individual Canadians and not imposing excessive
restrictions on the business community, he said.
Ideally, the government will commit to a time frame to
implement the PIPEDA amendments and will provide opportunities for input from
the legal community and the general public, Bowman said. “They've got a lot of
competing priorities, but this impacts every Canadian,” he said.
however, difficult to predict how much priority the Canadian government will
put on privacy issues in the upcoming parliamentary session, Kris Klein, a
partner with Ottawa-based law firm nNovation LLP, told Bloomberg BNA Sept.
In addition to the PIPEDA amendments proposed in Bill C-12, the
government needs to complete implementation of its new anti-spam law,
modernize the public sector Privacy Act, and appoint a new federal privacy
commissioner, Klein, also managing director of the Canadian chapter of the
International Association of Privacy Professionals, said.
Bill C-12 would have required organizations to report to
the privacy commissioner “material” data breaches, although the bill does not
define the term “material.”
The bill included a risk of harm trigger
that would have required organizations to notify affected individuals only if
they faced significant risk of harm. The bill does not detail how breach
notifications were to be made, indicating that would be specified in
subsequent regulations, and did not provide details of how the privacy agency
would enforce the breach notification requirements.
warned that Bill C-12's limited requirements would not be sufficient to ensure
that data breaches would not harm consumer confidence in the new digital
economy (11 PVLR 106, 1/16/12).
A private member's bill (C-475) that proposed an alternative breach notification regime was also introduced in the closed parliamentary session. C-475, introduced Feb. 26 by New Democratic Party member Charmaine
Borg, was briefly debated May 23 but was never brought to a vote.
would have required, “without unreasonable delay,” notification of any breach
involving the loss, disclosure or unauthorized access to personal information
where a reasonable person would see a possible risk of harm.
would have empowered the federal privacy agency to require notification of
potentially affected individuals of any “appreciable” risk of harm and would
have given the agency new order-making powers and a right of action against
private sector organizations that fail to comply with an order.
To contact the reporter on this story: Peter Menyasz in Ottawa at email@example.com.
To contact the editor
responsible for this story: Donald G. Aplin at firstname.lastname@example.org.
Bill C-12 is available at http://www.parl.gc.ca/LEGISInfo/BillDetails.aspx?Language=E&Mode=1&billId=5134895.
Bill C-475 is available at http://www.parl.gc.ca/LEGISInfo/BillDetails.aspx?Language=E&Mode=1&billId=5996156.