Canada’s House of Commons has recessed. Members of Parliament aren’t scheduled to return until September 17, 2012. By then, Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act (short title: Safeguarding Canadians’ Personal Information Act) will have been on the order paper for almost a year, having been introduced in the House of Commons on September 29, 2011. The Bill doesn’t appear to be moving any quicker than its predecessor, which died when Parliament was dissolved in March 2011.
Bill C-12 would give effect some of the legislative reforms recommended following the last 5-year review of PIPEDA (which happened more than 5 years ago!). If the Bill could ever get some traction and make it into force, it would (among other things):
- Create a new definition of “business contact information“. “Business contact information” is defined as an individual’s name, position or title, work address, work telephone number, work facsimile number, work e-mail address and any similar information about the individual. This information would not be subject to PIPEDA if the business contact information is collected, used or disclosed solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. Although still an important reform, the regulation of the use of this information (particularly e-mail addresses) may be overtaken for practical purposes by Canada’s Anti-Spam Legislation (CASL) when that legislation comes into force. My colleague, Margot Patterson, has some excellent explanations of CASL on this blog.
- Specify that consent means informed consent. Consent to collection, use or disclosure of their personal information is valid only if “it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting”.
- Provide for broader disclosure exceptions for law enforcement purposes. Organizations would be permitted to disclose personal information without consent where the disclosure is requested “for the purpose of performing policing services”. ”Policing services” is undefined. Organizations would also be permitted to disclose information to other organizations (not just government institutions) to investigate a breach of an agreement or the laws of Canada or province or, in certain circumstances, to prevent, detect or suppress fraud.
- Add a prospective business transaction exception. Businesses could disclose personal information to determine whether to proceed with a business transaction (such as a merger or asset sale) and then to complete it.
- Enact breach notification provisions. Organizations would be required to notify the Privacy Commissioner of a material breach of security of personal information. In addition, organizations would be required to notify the affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual.