bill c-29 pipeda reform oba nov 30 2010
TRANSCRIPT
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
1/22
Proposed Changes to PIPEDA
What You Should Know
OBA Information Technology and E-Commerce
November 30, 2010Mark Hayes, Hayes eLaw LLP
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
2/22
Legislative History
PIPEDA introduced 2001
May 2007: Reviewed by Standing Committee
on Access to Information, Privacy and Ethics 25 recommendations
May 2010: Bill C-29 introduced
2nd
reading October 2010 Not yet in committee
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
3/22
Legislative History
Government says 4 categories of changes:
protect and empower consumers
clarify and streamline rules for business support effective law enforcement and security
investigations
address technical issues
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
4/22
My Classification
Consent
Consent exceptions
Business contact information and businesstransactions
Employment information
Computer information collection
Breach notification
Commissioner investigations
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
5/22
Consent
Valid consent (new s. 6.1)
individual must understand nature, purpose and
consequences of the collection, use or disclosure
of personal information to which they are
consenting
Precise effect of new provision unclear
Likely that more detailed disclosures will berequired about proposed uses of personal
information
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
6/22
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
7/22
New Consent Exceptions
Disclosure:
To communicate with next-of-kin (s. 7(3)(c.1)(iv))
For purpose of policing services (not otherwise
exempted) (s. 7(3)(c.1)(v))
To another organization and disclosure is necessary
to investigate breach of agreement or contravention of the
Canadian law that has been, is being or is about to be
committed, or
to prevent, detect or suppress fraud when reasonable to
expect that notifying individual would undermine
prevention, detection or suppression of fraud (s. 7(3)(d.1))
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
8/22
New Consent Exceptions
Disclosure:
To government or next of kin to prevent, detect orsuppress fraud or financial abuse (s. 7(3)(d.2))
To government or next of kin where necessary to identifyinjured, ill or deceased individuals (s. 7(3)(d.3))
If individual alive, must give notice in writing of disclosure
This last requirement seems odd
PI contained in witness statement related to insurance
claim (s. 7(3)(e.1) PI produced in course of employment or to establish,
manage or terminate and employment relationship (s.7(3)(e.2))
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
9/22
Lawful Authority
Some clarification in s. 7(3.1)
Not required to:
Obtain subpoena, warrant or court order beforedisclosing personal information required as part ofa formal government investigation
Verify the validity of lawful authority beforedisclosing information
Debate about what lawful authority policehave will likely continue
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
10/22
Business Contact Information (BCI)
Currently, BCI narrowly defined but
completely excluded from definition of PI
Information excluded limited to specially listed
categories (name, title, business address or
telephone number)
May not include business e-mail
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
11/22
Business Contact Information (BCI)
New s. 4.01 would:
Provide a non-exhaustive definition of BCI
name, position name or title, work address, work
telephone number, work facsimile number, workelectronic mail address
Plus any similar information
Require that collection, use or disclosure of BCI
must be solely for the purpose of communicatingor facilitating communication with the individualin relation to their employment, business orprofession
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
12/22
Business Contact Information (BCI)
Unclear how far definition of BCI will extend
Probably has to be information that could be usedto contact individual
Effect of qualifying as BCI is to exempt allcollection, use and disclosure from PIPEDA
What happens if use goes beyond restrictions?
Is information no longer BCI forever? Must read this change in conjunction with
FISA (C-28) discussed by Fraser
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
13/22
Business Transactions
New s. 7.11 gives broad exception to allow useand disclosure of PI without consent
Prospective or completed business transactions
Include mergers and acquisitions, financings, leases,licenses and securitizations
Not applicable if primary purpose of transaction ispurchase, sale or lease of personal information
Must have agreement requiring PI disclosure PI must be necessary to considering or
completing transaction
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
14/22
Business Transactions
PI use in transactions potentially much simpler
Purchaser may use and disclose PI if:
Parties enter into agreement to: Use after closing same as before transaction
Apply appropriate security safeguards
Give effect to any withdrawal of consent
PI necessary to carry on business
One party notifies individuals post-closing about
transaction and disclosure of PI
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
15/22
Employment Information
New s. 7.2: Organization may collect, use and disclosePI without consent if:
Collection, use or disclosure necessary to establish,manage or terminate employment relationship
Employer has informed the individual that PI will be ormay be collected, used or disclosed for those purposes
Welcome addition to remedy glaring omission inoriginal PIPEDA
New s. 7.3: Employer may use and disclose PI thatqualifies under s. 7.2 for purposes other than those forwhich PI was collected
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
16/22
Computer Information Collection
New s. 7.1: Consent exemptions for collectionand use do not apply to:
Collection of electronic addresses by means of a
specialized computer search program PI collected by accessing a computer system in
contravention of federal law
Probably referring to Sections 342.1 and 326 of
Criminal Code Note that this overrides journalism exception in s.
7(1)(d) has been little objection this far
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
17/22
Breach Notification
New s. 10.1: Organization must report any
material breach of security safeguards to PCC
Materiality depends on: Sensitivity of PI
Number of individuals whose PI was involved
If cause of breach indicates systemic problem
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
18/22
Breach Notification
New s. 10.2: Must also notify individual if it isreasonable in the circumstances to believe thatthe breach creates a real risk of significant harmto the individual Significant harm includes bodily harm, humiliation,
damage to reputation or relationships, loss ofemployment, business or professional opportunities,financial loss, identity theft, negative effects on thecredit record and damage to or loss of property
Factors for significant harm are sensitivity of PIand probability that the personal information hasbeen, is being or will be misused
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
19/22
Breach Notification
Both 10.1 and 10.2 require notification to be
given in accordance with regulations and to
be done as soon as feasible
This timing requirement may be too stringent
New s. 10.3 permits further notification to
another organization or government body if
they can reduce the potential harm
Again subject to unspecified regulations
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
20/22
Commissioner Investigations
Several minor tweaks
PCC given more discretion in s. 12.1 to decide
whether to investigate a complaint and whatto do in the course of an investigation
S. 22 adjusted to make clear the extent of
defamation exemption for PCC relating to
investigations and reports
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
21/22
In Conclusion.
In general, proposed changes are relatively
uncontroversial and welcome fixes
Employment and business transactionchanges make PIPEDA more business friendly
and dovetail with Alberta and BC PIPAs
Breach notification seems to have struck the
right compromise questions remain about
how PCC will handle notification volume
-
8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010
22/22
Thank you!
If you would like a copy of
these slides, please leaveme a card or email me at