The Government of Canada recently passed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that will impact every organization that collects, uses or discloses personal information in the course of commercial activities (for example, the personal information of customers or clients).

Overall, the basic framework in PIPEDA remains the same. Key changes include:

  • Clarification of valid consent. PIPEDA is now more explicit about what constitutes valid consent when collecting personal information through commercial activities directed at specific classes of individuals, such as children;
  • Mandatory Data Breach Reporting. PIPEDA now includes obligations for organizations to report potentially harmful data breaches to the Privacy Commissioner of Canada and affected individuals; and to keep records of all data breaches. The law includes significant fines for deliberately failing to comply with the new data breach rules.
  • New exceptions to the requirement for consent. PIPEDA now includes a number of new exceptions to the requirement for organizations to have consent before collecting, using, or disclosing personal information for specific purposes. These new exceptions include being able to share personal information to conduct due diligence in the context of a merger or acquisition; to report suspected cases of financial abuse; or to contact the family of a missing or injured individual.
  • New powers for voluntary disclosure when deemed in the public interest and other powers. Under PIPEDA the Privacy Commissioner now has the ability to enter into voluntary compliance agreements with organizations that have been found to be violating the law. In addition, the Commissioner has more time to take organizations to court over a privacy violation, and greater scope to make information about a non-compliant organization public, when it is in the public interest.

These changes came into force on June 18, 2015 with the exception of the mandatory data breach reporting requirements. These measures will not come into force until regulations that provide specifics on the data breach requirements have been adopted, expected sometime in 2016. Industry Canada has stated that it will hold stakeholder consultations in advance of finalizing these regulations.

A press release from the Government of Canada can be found here: News Release.
The legislative Summary of the law can be found here: Legislative Summary.
Full text of the law can be found here: Full Text of Digital Privacy Act

Next Steps:

RCC will continue to liaise with Government and be the voice of retail during the development of the regulations and as issues related to compliance arise.

If you have any questions or concerns, please don’t hesitate to contact: Jason McLinton, Senior Director, Public Affairs at: [email protected] or 613-656-7903