Mandatory Data Breach Notice Bill Stalls As Canadian Parliament Session Closed

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz  

Sept. 16 --The Canadian government's Sept. 13 decision to end the Parliament's legislative session has at least temporarily blocked passage of proposed amendments (Bill C-12) to Canada's framework federal privacy law that would have introduced a limited mandatory data breach notification requirement.

A new parliamentary session is scheduled to start Oct. 16, and the rules permit the government to reintroduce bills that failed to complete the parliamentary process in the previous session. But Sébastien Gariépy, a spokesman for Industry Minister James Moore, told Bloomberg BNA Sept. 13 that he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.

If reintroduced, it would be the third time Parliament has seen the measure.

The legislation was first introduced in May 2010 (9 PVLR 787, 5/31/10). But it died when Parliament was dissolved for a federal election.

C-12, which was identical to its predecessor legislation, was reintroduced Sept. 29, 2011, by Industry Minister Christian Paradis (10 PVLR 1458, 10/10/11).

Delays Raise Concerns

The national data protection authority, the Office of the Privacy Commissioner of Canada, never had an opportunity to provide detailed analysis and comment on Bill C-12, as the legislation never made it to that point in the parliamentary process, privacy office spokesman Scott Hutchinson told BNA Sept. 13.

Outgoing Privacy Commissioner Jennifer Stoddart has been clear that her office's proposals, which were based on a review of PIPEDA conducted in 2006, are now out of date, Hutchinson said.

“Much has changed as the years have passed, and the Commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches,” he said. “Our Office would again encourage parliamentarians to proceed with a second review of PIPEDA. It is our hope that the government will take these views into account as it plans ahead for the coming parliamentary session.”

Stoddart, whose term as privacy commissioner expires in December, continued to stress in her last annual report to the Canadian Parliament on PIPEDA, published June 6, that the act should be fully reviewed and updated to better motivate organizations to make privacy a priority (12 PVLR 1217, 7/8/13).

The privacy community and Canadians in general have been pushing for many years for an updating of PIPEDA, so hopefully the government will give the proposed amendments even higher priority in the new parliamentary session, Brian Bowman, a partner with Winnipeg-based Pitblado LLP, told Bloomberg BNA Sept. 16.

“I and many others in the privacy community are very eager to see this move forward as soon as possible,” Bowman, chair of the Canadian Bar Association's National Privacy and Access Law Section, told Bloomberg BNA. “The stakes are quite high as far as many of these proposed changes are concerned.”

Technology continues to evolve at a rapid pace, and amendments are needed to help PIPEDA catch up to the current environment, he said. The government's challenge is to find an appropriate balance between ensuring privacy protection for individual Canadians and not imposing excessive restrictions on the business community, he said.

Prioritizing Privacy?

Ideally, the government will commit to a time frame to implement the PIPEDA amendments and will provide opportunities for input from the legal community and the general public, Bowman said. “They've got a lot of competing priorities, but this impacts every Canadian,” he said.

It is, however, difficult to predict how much priority the Canadian government will put on privacy issues in the upcoming parliamentary session, Kris Klein, a partner with Ottawa-based law firm nNovation LLP, told Bloomberg BNA Sept. 16.

In addition to the PIPEDA amendments proposed in Bill C-12, the government needs to complete implementation of its new anti-spam law, modernize the public sector Privacy Act, and appoint a new federal privacy commissioner, Klein, also managing director of the Canadian chapter of the International Association of Privacy Professionals, said.

Limited Breach Notice

Bill C-12 would have required organizations to report to the privacy commissioner “material” data breaches, although the bill does not define the term “material.”

The bill included a risk of harm trigger that would have required organizations to notify affected individuals only if they faced significant risk of harm. The bill does not detail how breach notifications were to be made, indicating that would be specified in subsequent regulations, and did not provide details of how the privacy agency would enforce the breach notification requirements.

Privacy groups warned that Bill C-12's limited requirements would not be sufficient to ensure that data breaches would not harm consumer confidence in the new digital economy (11 PVLR 106, 1/16/12).

A private member's bill (C-475) that proposed an alternative breach notification regime was also introduced in the closed parliamentary session. C-475, introduced Feb. 26 by New Democratic Party member Charmaine Borg, was briefly debated May 23 but was never brought to a vote.

C-475 would have required, “without unreasonable delay,” notification of any breach involving the loss, disclosure or unauthorized access to personal information where a reasonable person would see a possible risk of harm.

It also would have empowered the federal privacy agency to require notification of potentially affected individuals of any “appreciable” risk of harm and would have given the agency new order-making powers and a right of action against private sector organizations that fail to comply with an order.


To contact the reporter on this story: Peter Menyasz in Ottawa at

To contact the editor responsible for this story: Donald G. Aplin at

Bill C-12 is available at

Bill C-475 is available at

Request Bloomberg Law: Privacy & Data Security