Skip to main content
opinion

Chantal Bernier is former interim privacy commissioner of Canada, counsel in the global privacy and cyber-security group at Dentons LLP Canada and a senior fellow in the Graduate School of Public and International Affairs at the University of Ottawa.

Canadian businesses suddenly find themselves contending with an unusually high number of significant privacy law developments.

In April, the Office of the Privacy Commissioner of Canada delineated the rules around online behavioural advertising. In June, Parliament adopted the Digital Privacy Act, amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to create mandatory breach notification and mandatory breach recording, broaden organizations' right to share personal information between them and allow disclosure of personal information in instances of suspected financial abuse. Also, Canadian businesses operating in Europe are seeing stricter privacy obligations looming with the adoption by the Council of Ministers of a position on the Draft European Regulation on Data protection.

Here is an overview of the legal implications of these developments and the necessary adjustments for business.

Online behavioural advertising

OBA involves tracking consumers' activities across sites and over time in order to deliver advertising based on their inferred interests. For example, we see ads for cellphones after researching phone upgrades on the Internet.

In a report of findings in relation to Bell Canada's Relevant Advertising Program, the Office of the Privacy Commissioner clarified that OBA is a legitimate business objective. It must, however, be based on a consent model that corresponds to the sensitivity of the information collected and to the degree of privacy expectations of the customer, both determined by context.

The adjustment for businesses is, mainly, that in developing an OBA program, it would be wise to proceed on the basis of privacy impact assessment to determine the sensitivity of the information collected and users' reasonable expectations of privacy, in the specific context. Consent options and information to customers would be set accordingly.

Breach notification

The Digital Privacy Act amends PIPEDA to create the obligation to notify both the OPC and affected individuals of a personal data breach, as soon as feasible, when there is a "real risk of significant harm." A breach may be any compromise of security safeguards, such as loss of data or unauthorized access, or the failure to establish any. Of note, failure to notify could bring fines of up to $100,000 per person affected who should have been notified and was not.

To adapt to this new obligation, organizations should modify or develop anticipated breach response plans so that every step, including the decision on whether to notify, is properly supported at the time of an incident. This should include the organization's specific criteria in the decision to notify and the decision-making process in that regard. Breach response is not the time to improvise. It is even less the time to understand new legal obligations.

Record keeping

Another important adjustment for business is the new requirement to keep a record of every personal information breach, whether subject to notification or not, and to provide the OPC with access to it upon request.

Businesses should address this new information management challenge with commensurate internal compliance processes to monitor data security, as well as record-keeping, to demonstrate accountability.

Sharing among organizations

PIPEDA is also amended to broaden the exceptions to the prohibition to disclose personal information without knowledge or consent of the individual. Organizations will now be allowed to make that disclosure to another organization, where it is reasonable to investigate or prevent the violation of federal or provincial law or fraud and where seeking knowledge and consent would compromise these objectives. This new latitude needs to be framed within strict corporate policies to ensure proper implementation. The risk is the possibility of a breach, and tort action, where the disclosure would be deemed unreasonable.

Disclosure of abuse

This amendment will particularly ease the mind of financial institutions, allowing an organization to report to a government institution, or a next of kin, as the organization decides, personal information where it reasonably believes that a person is victim of financial abuse. The information would have to be strictly limited to the suspected abuse and it would have to be demonstrated that to proceed with knowledge and consent would compromise the ability to prevent the abuse.

While this amendment may be a positive step to prevent or stop financial abuse, organizations will have to implement it with clear policies and training to govern themselves within the spirit of privacy law.

European regulation

Canadian businesses operating in Europe should be alerted to the coming changes of the Draft Data Protection Regulation, which was passed on June 15 by the European Council of Ministers. The changes bring the regulation one huge step closer to adoption, with worldwide impact on business offering products or services in Europe. For example, there are new limits on the use of consent, new obligations in relation to transparency of privacy policies to individuals, a new "right to erasure" of personal information and the requirement for privacy impact assessments for processing data in situations of "high risk," to name but a few.

As the landscape changes to bring privacy law in line with technological and commercial trends, Canadian businesses must study the road map in order to take the right course.

Interact with The Globe