By Bernice Karn
On April 8, 2014, the Harper government introduced Bill S-4 in the Senate. The new Bill, known as the "Digital Privacy Act" is touted as providing new protections for Canadians when they search the web and shop online. However, for privacy observers, the Digital Privacy Act largely represents a retabling of two previous Bills introduced in the House of Commons to amend the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the most recent of which was Bill C-12, introduced in 2011, which died when Parliament was prorogued in 2013.
The Digital Privacy Act contains a number of administrative amendments and, of the recycled amendments to PIPEDA, the following are noteworthy:
In terms of actual “news" in the Digital Privacy Act, the Bill proposes a new section 17.1 that gives the federal Privacy Commissioner (the “Commissioner”) the power to enter into "compliance agreements" where the Commissioner believes on reasonable grounds that an organization has committed, is about to commit, or is likely to commit an act or omission that could constitute a breach of certain provisions of PIPEDA. This is not the order making authority that many had thought that the Commissioner might obtain in future amendments to PIPEDA. A compliance agreement will suspend the Commissioner's right to apply to court for hearings of certain matters under PIPEDA, but affected individuals will retain the right to apply for hearings, and prosecutions of offences under PIPEDA remain possible.
Where the Commissioner is of the view that the organization is not adhering to the terms of a compliance agreement, the Commissioner has an obligation to notify the organization and may apply to the court: for an order requiring compliance, to request a hearing (relating to certain provisions of PIPEDA) or to reinstate existing suspended proceedings. While this compliance agreement regime does not have the force of order making authority, it should provide the Commissioner with some leverage to enforce compliance with PIPEDA, especially since the Commissioner is only required to believe on reasonable grounds that an organization has committed, is about to commit, or is likely to commit an act that could contravene certain provisions of PIPEDA in order to request a compliance agreement and it does have the effect of suspending unwanted litigation from the affected organization’s perspective. Therefore, organizations will have an incentive to negotiate and enter into these types of agreements.
While the Digital Privacy Act is largely re-proposing concepts that have been tabled before in Parliament, privacy advocates hope that the third time is the charm and that this Bill will ultimately be enacted. The Bill should also provide some comfort to businesses in terms of facilitating business transactions without the necessity to obtain individual consents to the use or disclosure of personal information in the course of these transactions (or to obtain a court order permitting such transfer) and to at last put some parameters around the scope of breach notification requirements at the federal level.
We will be monitoring the progress of this Bill and will advise on any significant developments as they occur.