MT>3
  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact

The Digital Privacy Act – Part 1: The Calm before the Storm

8/7/2015

 
With the Digital Privacy Act receiving Royal Assent June 18, 2015, Canada has taken a step in the right direction when it comes to further protecting personal information.   The Digital Privacy Act has been received with great fanfare by those looking for greater regulation over data breach notification, and sanctions for the harm caused by those breaches.  Unfortunately, the notification and sanction provisions of this Act are not yet in force.

The Digital Privacy Act is a series of amendments to the federal 
Personal Information Protection and Electronic Documents Act (“PIPEDA”).  PIPEDA applies to any work, undertaking or business that is under the legislative authority of Parliament, as well as some businesses that fall under provincial regulation.  If you are not sure whether it applies to you, check here.

For the most part, the provisions that came into force this week provide some clarity to regulated organizations on how and when they may collect, use and disclose personal information without the consent of the individual.  These provisions are relatively benign and condone appropriate business transactions and activities without compromising personal information protection.

One provision that does stand out is the new section 6.1 of PIPEDA, which provides an objective standard for establishing valid consent for the collection or use of personal information:

…the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

Commentators will quickly pick up on the challenges of gaining consent from children and the elderly, but the problem may be much more fundamental.  The average consumer will likely be able to figure out the nature and purpose of the collection, use and disclosure of their personal information, but have no idea what consequences may flow.  Getting valid consent under PIPEDA requires more than scroll and click – just how much more depends on what “reasonable to expect” will be interpreted to mean.

Overall, the amendments that are now in force are relatively uncontentious and, over time, will provide a measure of predictability in how our information is collected and used.

These benign provisions are really the calm before the storm.  If and when the balance of the Digital Privacy Actcomes into force, those organizations that are not prepared will face even greater liability for failing to ensure that the personal information they collect is not properly protected from a breach.  Specifically, PIPEDA will then:

-      require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;

-      require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control; and,

-      create offences in relation to the contravention of certain obligations respecting breaches of security safeguards.

These provisions set the tone for the next generation of information protection, but do not provide us with all of the details.  Questions about the nature and extent of breach notices, the form of the notice and the type of report required by the Privacy Commissioner will follow in Regulations.   The details will no doubt create a new stir when promulgated.

For now, many organizations are still struggling to maintain current and adequate security controls.  Further, the complexity and frequency of cyber-attacks is such that some breaches are detected well after the fact, when the scope and scale is difficult to determine.   Add to the challenge the fact that managing information, including personal information, is one of the greatest challenges facing many organizations, and we have a perfect storm on the horizon.

​When it comes to personal information breaches, few dispute that greater transparency and accountability is a good thing.  By making all breaches reportable, the business case for proactive security, appropriate information governance and personal information protection will become even stronger.  It will be interesting to see whether the fair warning provided by the pending provisions will drive organizations to prepare for that storm now.  With the fair warning provided by the Digital Privacy Act, don’t expect much sympathy from the Privacy Commissioner if you aren’t ready when the storm hits.


Comments are closed.

    Categories

    All
    Artificial Intelligence
    Blockchain
    Cyber Security
    E Discovery
    Information Governance
    Legaltech
    Privacy
    Social Media
    Technology


    Archives

    November 2020
    October 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    January 2020
    November 2019
    October 2019
    September 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    May 2018
    April 2018
    March 2018
    September 2017
    August 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    June 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    March 2010
    February 2010
    January 2010
    October 2009
    September 2009
    August 2009
    December 2008
    March 2008
    November 2007
    October 2007

130 Adelaide Street West Suite 2020
Toronto, Ontario M5H 3P5
​ ​
t: 416-642-2220  
tf: 1-877-642-2220  
f: 416-642-9021

Contact MT>3
@MT>3 2018. All Rights Reserved
Picture

Privacy Policy and Terms of Use

  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact