For the first time in nearly a decade, a province has enacted comprehensive private sector privacy legislation. Learning from the experiences federally and in the provinces of British Columbia and Alberta, Manitoba has enacted what is arguably the most advanced privacy legislation in Canada. It is important to note that the Manitoba legislation is not yet in force.
The Personal Information Protection and Identity Theft Prevention Act (Manitoba PIPITPA) is broadly similar in structure and content to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the legislation of British Columbia and Alberta. There are a number of differences that privacy advocates may argue make this legislation best in class.
- Mandatory individual breach notification. The Manitoba PIPITPA requires organizations to make individual breach notification as soon as reasonably practicable if personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner. Importantly, however, the organization need not do so if the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully. The Manitoba PIPITPA does not have the two-step approach of the Alberta legislation but also appears to set a lower threshold for notification.
- Private right of action for failure to protect information or provide notice. Class proceedings on the horizon? The Manitoba PIPITPA provides expressly for a private right of action against an organization for damages arising from a failure to (a) protect personal information in the custody or control of the organization or (b) provide the individual breach notification in circumstances where it was not reasonable for the organization to believe that the information could hot be used unlawfully. The spectre of potential proceedings under The Class Proceedings Act (Manitoba) using this private right of action provision may become an important driver when organizations are considering breach notification responsibilities.
- Safe harbour provisions against liability. Counterbalancing the private right of action is a safe harbour provision for organizations from liability for any damages resulting from:
- the disclosure or failure to disclose (in good faith) or the consequences of the disclosure or failure to disclose a record or personal information; or
- the failure to give a required notice (including an individual breach notification) if reasonable care was taken to give the notice.
- Allowing for co-regulatory model of professional codes. Although the Manitoba PIPITPA is intended to be comprehensive legislation, the Legislature has provided for flexibility to permit a professional regulatory organization to establish a personal information code that would govern the organization instead of most of the provisions of the Manitoba PIPITPA (including the breach notification and private write of action provisions). This is an important innovation, which, if adopted across Canada, could allow professional regulatory organizations to develop and enforce (through existing or adapted disciplinary proceedings) privacy codes that are approved by data protection authorities.
- Clarification of the power of minors to consent. The Manitoba PIPITPA directly addresses the ability of minors to give consent. The minor is empowered to exercise any right or power under the Manitoba PIPITPA if the minor is capable of understanding the nature of the right or power provided for in the legislation and the consequences of exercising the right or power.
- Penalties for wilful violation. Wilful violations of the PIPITPA are punishable as provincial offences. Fines are up to $10,000 for individuals and $100,000 for organizations. Individuals and organizations are not liable if they acted reasonably in the circumstances. Punishable violations include:
- wilfully collecting, using or disclosing personal information in contravention of Part 2 [query whether this was supposed to be Part 3 - which are the provisions directly relevant to the collection, use and disclosure of personal information];
- wilfully attempts to gain or gains access to personal information in contravention of the legislation; or
- disposes of or alters, falsifies, conceals or destroys personal information or any record relating to personal information, or directs another person to do so, with an intent to evade a request for access to the information or the record.
The Manitoba legislation departs from the legislation in other provinces by not including a complaint procedure to the Manitoba Ombudsman. Instead, the intention appears to be to rely on private action. Time will tell whether this gap undermines the policy goals of the legislation.
Interestingly, however, the Manitoba PIPITPA contains whistle-blower protections for employees of an organization who disclose to the Ombudsman a contravention or imminent contravention of the Manitoba PIPITPA, provided that the employee is acting in good faith and on the basis of reasonable belief. The extent of the Ombudsman’s day-to-day role in supervising organizations is currently unclear.