Library of Parliament Research Publications
41st Parliament, 1st Session
Legislative Summary of Bill C-12: An Act to amend the Personal Information Protection and Electronic Documents Act *
Dara Lithwick, Legal and Legislative Affairs Division
19 October 2011
Publication Number 41-1-C12E PDF 280 kB, 12 pages
Any substantive changes in this Legislative Summary that have been made since the preceding issue are indicated in bold print.
Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act (short title: Safeguarding Canadians’ Personal Information Act), was introduced in the House of Commons by the Minister of Industry on 29 September 2011. It is a reintroduction of Bill C-29, which died on the Order Paper following the dissolution of the 40th Parliament on 26 March 2011. That bill did not proceed past second reading.
Bill C-12 will amend the Personal Information Protection and Electronic Documents Act (PIPEDA),1 the main federal legislation governing privacy rights and obligations in the private sector.
According to an Industry Canada backgrounder, the proposed amendments to PIPEDA found in Bill C-12 are designed to:
- protect and empower consumers;
- clarify and streamline rules for business;
- enable effective investigations by law enforcement and security agencies; and
- make linguistic and other technical drafting corrections.2
PIPEDA was passed into law in 2000, and came into force in stages during the following several years. It was drafted following broad stakeholder consultations, which led to the unusual step of incorporating a voluntary industry standard (the Model Code for the Protection of Personal Information 3) into the text of the legislation itself.4
PIPEDA applies primarily to the collection, use or disclosure of personal information in the course of commercial activities by a private sector organization and by federal works and undertakings.5 It regulates all such activity not only at the federal level and in the territories, but also in every province, unless that province has passed its own legislation requiring the private sector to provide comparable protection, referred to as substantially similar legislation.6 PIPEDA is largely directed towards federal trade and commerce, though commentators have noted that “Part 1 of PIPEDA has both federal and provincial characteristics, which is a necessary incident of its design to regulate the flow of personal information nationally and internationally.” 7 On 9 July 2010, the Federal Court restricted the scope of the definition of “commercial activity” in PIPEDA following a constitutional challenge brought by a private sector organization, State Farm Mutual Automobile Insurance Company. The company questioned whether the provisions of PIPEDA apply to evidence collected by an insurer, on behalf of an insured, in a tort action. Justice Mainville determined that PIPEDA does not apply to such evidence.8
Provinces that have passed substantially similar legislation are Quebec, Alberta and British Columbia.9 Accordingly, in those provinces PIPEDA applies only to federal organizations or to interprovincial or international transactions, while the rest of the private sector’s privacy obligations are governed by the respective provincial statutes. In addition, Ontario has passed legislation that regulates the handling of personal health information by health sector custodians in all sectors;10 PIPEDA therefore does not govern this area in Ontario, but it does continue to govern the handling of regular personal information in the rest of the private sector in that province.
The enforcement body for organizations governed by PIPEDA is the Office of the Privacy Commissioner of Canada (“the Commissioner”). The Commissioner is an ombudsperson who can receive and investigate complaints from the public or any organization concerning violations of PIPEDA. Mediation and conciliation are generally used to resolve complaints, with the aim of achieving corrective action when necessary. The Commissioner does not have the power to issue final orders, but can summon witnesses, administer oaths and compel the production of evidence in the absence of voluntary cooperation. In certain circumstances, she or he may also take cases to the Federal Court to seek an order or other resolution of a matter.
In addition, the Commissioner has the power to audit how personal information is managed by any organization governed by the Act, make public any information about such practices if it is in the public interest, and coordinate activities of various kinds with her or his provincial counterparts, including the development of model contracts for the protection of personal information in interprovincial or international transactions. The Commissioner has a public education mandate with respect to the Act as well.
PIPEDA requires a Parliamentary review of Part 1, the portion of the statute that deals with privacy and personal information, every five years.11 The first Parliamentary review, which contained 25 recommendations for amendments to the legislation, was completed and tabled in the House of Commons in May 2007 by the Standing Committee on Access to Information, Privacy and Ethics.12 The government subsequently issued a response to the recommendations in the Committee’s report,13 and Bill C-12 is the implementation of that response.14
During the 3rd Session of the 40th Parliament, Bill C-29 was introduced in tandem with Bill C-28, a bill containing proposed anti-spam legislation. Bill C-28, which received Royal Assent on 15 December 2010,15 expands the enforcement powers of the Commissioner under PIPEDA.16
Bill C-12 adds several new definitions to PIPEDA. It preserves the existing definition of personal information as “information about an identifiable individual,” but removes the wording excluding the names and coordinates of employees, and creates a new definition for business contact information (clauses 2(1) and 2(3)). It also specifies that PIPEDA’s provisions on personal information do not apply to business contact information (clause 4).
In addition, the bill expands the coverage of PIPEDA to the personal information of applicants for employment with federal businesses, works and undertakings, instead of just employees (clause 3).
The bill inserts a new section 6.1, clarifying that individuals’ consent to collection, use or disclosure of their personal information is valid only if “it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting” (clause 5).
This section aims to ensure that the privacy policies and notification practices of organizations covered by PIPEDA are clear and direct in informing individuals about the ramifications of sharing personal information with these organizations, and do not try to force or mislead individuals into giving such information to the organizations.
However, the bill also expands the number of circumstances in which personal information can be collected, used or disclosed without consent. One new circumstance is if the personal information is contained in a witness statement and is needed to assess, process or settle an insurance claim. Another new circumstance is if the personal information was produced by the individual in the course of his/her employment, business or profession, and the collection, use or disclosure is “consistent” with the purposes for which it was produced (clauses 6(2), 6(4), and 6(10)).
As well, there are many additional new circumstances in which personal information can be disclosed without consent, including personal information requested in order to communicate with the next of kin or authorized representative of an injured, ill or deceased individual (clause 6(6)).
Another new exception is disclosure without consent when the personal information is requested to perform policing services. It should be noted that the existing exceptional circumstances in which information can be disclosed without consent under PIPEDA upon request (and under lawful authority) already include national security, defence and international affairs; enforcement of any laws of Canada, a province or a foreign country; intelligence-gathering related to enforcement of any laws of Canada, a province or a foreign country; and administration of any laws of Canada or a province. This new exception for policing services appears to add an open-ended and undefined circumstance related to law enforcement to this list. The term policing services is not defined in either the Act or the bill (clause 6(6)).
The bill also re-defines the concept of lawful authority, which currently limits the collection, use and disclosure of personal information without consent by law enforcement authorities. The bill specifies that lawful authority is not limited to a subpoena or warrant from a court or to rules of court related to the production of records; this authority appears to be a more general authority that is left undefined. Bill C-12 also specifies that the organization disclosing the information to authorities without consent is under no legal obligation to verify that it possesses the necessary lawful authority before disclosing the information requested (clause 6(12)).
The bill expands another existing exception in the law. Subsection 7(3) of PIPEDA already permits organizations to voluntarily disclose to a government institution personal information without consent when an organization has reasonable grounds to believe that a contravention of the laws of Canada, a province or a foreign country is being, has been, or is about to be committed. Bill C-12 would allow disclosure without consent to organizations in general, presumably including other companies, if necessary to investigate a breach of an agreement or a contravention of laws (as above), or to “prevent, detect or suppress” fraud. In the case of fraud, the bill further permits disclosure without consent of an individual’s personal information when notifying the individual could be reasonably expected to frustrate attempts to deal with fraud (clause 6(9)).
Another new provision would allow disclosure without consent to a government institution or to the individual’s next of kin or authorized representative if there are reasonable grounds to believe that individual has been the victim of “financial abuse,” and the disclosure is solely for the purpose of preventing or investigating it (clause 6(9)).
The bill therefore expands the number and type of organizations that could receive disclosures for which consent has not been obtained; this activity would no longer be limited to government actors or “investigative bodies” that currently receive such information under PIPEDA. (The bill in fact eliminates previous wording about “investigative bodies” from the Act.)
In addition, organizations may be restricted from informing individuals that their personal information has been shared if cases involve subpoenas, warrants or court-ordered production of the information; if a government institution requests the information under the national security, law enforcement or policing services exemptions; if a disclosure is made under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act; or if a disclosure is made to prevent a breach of the law. If an organization wants to notify the individual that his or her personal information has been shared under these circumstances, it must first notify the relevant authority (or other organization) that sought the personal information, which is entitled to respond within 30 days with any objections.17 If the authority objects, the organization cannot notify the individual or disclose that the notice and objection process with the relevant authority even took place. However, the organization that shared the personal information does have to notify the Commissioner of what has occurred (clause 8).
In these cases, an organization is also prohibited from disclosing any information about what was in the subpoena, warrant or government request, and from giving the individual whose personal information is concerned access to such details (clause 8).
It appears that the intent of this provision is to ensure that ongoing investigations are not compromised by disclosure of information to the subject of an investigation.
The bill also changes the consent requirements for the personal information of employees of federal works, undertakings or businesses. Employers will now be able to collect, use and disclose employee information without consent if it is needed to “establish, manage or terminate” employment, provided the employee in question has been notified why the information is being collected, used or disclosed (clause 7).
The bill also adds a new ability to use and disclose personal information without the individual’s knowledge or consent for the purpose of a “prospective business transaction.” This exception appears to be designed to cover mergers or takeovers between companies with large holdings of personal information. Under the exception, the use or disclosure of the personal information must be necessary to determine whether to proceed with the transaction, and to then complete it. In addition, the organizations must have an agreement that requires the receiver of the personal information to use and disclose it only for purposes related to the transaction, to protect it with appropriate security safeguards for its level of sensitivity, and to return or destroy it within a reasonable time if the transaction does not proceed (clause 7).
If the transaction does proceed and is completed, the organizations that have exchanged the personal information may use and disclose it without the knowledge or consent of the individuals involved, if the personal information is needed to carry on the business or activity that was the object of the transaction, under an agreement that it must be used and disclosed solely for the original reasons it was collected. That agreement must also again provide security safeguards at an appropriate level, and it must also stipulate that any withdrawal of consent by the individuals involved will be honoured (clause 7).
Within a reasonable time after the transaction is completed, the individuals affected must be notified of the transaction’s completion and of the disclosure of their personal information (clause 7).
The bill further stipulates that all agreements under this clause between organizations exchanging personal information are binding under the law (clause 7).
However, this type of exchange without knowledge or consent may not take place at all, regardless of any agreements, if the primary purpose or result of the business transaction is to buy, sell, acquire, dispose of or lease personal information (clause 7).
Some new sections are added to PIPEDA introducing requirements to notify people when there has been a breach of the security surrounding their personal information. In particular, a new section 10.1 requires organizations to notify the Commissioner when there has been a “material breach” of the security surrounding their holdings of personal information. A new section 10.2 requires the organization to notify the individuals involved as well — unless there is any other law that prohibits it — if it is “reasonable” in the circumstances to “believe that the breach creates a real risk of significant harm to the individual” (clause 11).
Definitions are provided for how the elements of this test are met. An open-ended definition of “significant harm” is incorporated into PIPEDA, which “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” The key factors for identifying whether there is a real risk of significant harm are also spelled out in the Act; they are the “sensitivity of the personal information” involved and “the probability that the personal information has been, is being or will be misused”(clause 11).
There are also requirements for what the notification must contain: “sufficient information” to allow the individual to understand the significance of the breach and to take steps to mitigate or reduce harm to himself or herself from it. Any other “prescribed information” that could be required under regulations in the future must be included as well. The notification must be “conspicuous” and given directly to the individual, provided it is feasible to do so. The notification must be provided “as soon as feasible” after a breach has been confirmed and the test for notification has been applied (clauses 11 and 18(2)).
Any government institution that could assist the individual in reducing the risk or mitigating harm from the breach must also be notified, and can make limited disclosure of the personal information without the individual’s consent for the purpose of reducing the risk or mitigating the harm (clause 11).
The Commissioner is given oversight over all complaints relating to the new breach notification requirements. The requirements concerning notification of the individuals affected, and the disclosure of their personal information without consent by helpful government institutions, can also be enforced by a court order (clauses 12, 13 and 14). The Commissioner also has a mandate to encourage organizations to develop policies and practices to enforce the new requirements (clause 16).
The bill expands the list of subjects on which regulations can be made and adds a new subsection that allows the regulations to incorporate by reference any standards or specifications produced by a government or other organization. This appears to acknowledge that standards like the Model Code that remains part of PIPEDA’s Schedule may continue to be updated as technologies and other considerations evolve (clause 18(3)).
Various other clauses of the bill contain technical amendments to clarify, update or correct existing wording in PIPEDA (clauses 2(2), 9, 10(1), (2), (3), (4) and (5), 15(1) and (2), 17, 19, and 20).
The bill comes into force on a day or days to be fixed by the Governor in Council (clause 21).
The previous version of Bill C-12, Bill C-29, which was introduced in the House of Commons on 25 May 2010, received one day of second reading debate, on 26 October 2010. During this debate the Honourable Tony Clement, then Minister of Industry, noted, “This bill is about privacy in the digital age and is, therefore, an important element of Canada’s emerging digital economy strategy.” 18
Member of Parliament Claude Gravelle asked whether the Government would support changes to the bill to “properly identify lawful authority and policing services” and asked whether the bill contained penalties for “people or companies that might abuse the bill.” 19
Member of Parliament Joe Volpe expressed concern that the bill “introduce[s] exceptions to [the] kinds of privacy and security that it claims to support.” He added, “It is going to need a lot of amendments in order for me to feel comfortable.” 20
Member of Parliament Carole Freeman indicated that “the Bloc Québécois will vote against Bill C-29 because it is yet another bill that shamelessly interferes in an area under provincial jurisdiction.” 21
Neither Bill C-12 nor its predecessor, Bill C-29, have received substantial media coverage.
On 30 September 2011, Daniel Tencer of The Huffington Post Canada wrote that some experts see shadows of the United States Patriot Act in Bill C-12’s proposed amendments to PIPEDA:
Among the amendment’s provisions are a new rule requiring organizations to report data security breaches to Canada’s privacy commissioner, as well as some exceptions to privacy rules designed to make it easier for companies to carry out day-to-day business.
But what has privacy experts worried is a new provision that allows organizations to hand over personal information about individuals to law enforcement and private investigators without a warrant. And, when the law enforcement agency requests it, the organization can be forbidden from notifying the individual in question that their information has been passed on.22
News articles on Bill C-29 questioned whether the proposed legislation contained sufficient clarity and enforcement mechanisms.23
* Notice: For clarity of exposition, the legislative proposals set out in the bill described in this Legislative Summary are stated as if they had already been adopted or were in force. It is important to note, however, that bills may be amended during their consideration by the House of Commons and Senate, and have no force or effect unless and until they are passed by both houses of Parliament, receive Royal Assent, and come into force. [ Return to text ]
** Notice: This legislative summary is based on the Legislative Summary of Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, prepared by Alysia Davies, formerly of the Library of Parliament, on 23 June 2010. [ Return to text ]
- Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 [PIPEDA]. [ Return to text ]
- Industry Canada, “Backgrounder: Government of Canada Introduces Amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA),” 29 September 2011. [ Return to text ]
- Canadian Standards Association, Model Code for the Protection of Personal Privacy, Publication no. Q830-96, Mississauga, Ont., March 1996. [ Return to text ]
- The standard is in Schedule 1 of the statute and is referenced in its main provisions as well. [ Return to text ]
- The scope of the application of Bill C-12 to employee information collected by employers in federal works, undertakings, or businesses is still somewhat unclear in the case law. Part 2 of PIPEDA deals with electronic documents and is primarily focused on granting them the force of legal documents as well as specifying when they are equivalent to paper copies. [ Return to text ]
- For more information on how provincial legislation is designated substantially similar to PIPEDA, please see: Office of the Privacy Commissioner of Canada, “Substantially Similar Provincial Legislation,” Legal information related to PIPEDA. [ Return to text ]
- See, for example, Josh Nisker, “PIPEDA: A Constitutional Analysis (81 Kb, 27 pages),” Canadian Bar Review, Vol. 85, 2006, In December 2003 the Attorney General of Quebec launched a constitutional challenge to PIPEDA, claiming it encroaches on provincial jurisdiction. That case is ongoing but has remained largely dormant (see, for example, Michael Geist, “State Farm challenges Canada’s privacy law in court,” Toronto Star, 5 April 2010. [ Return to text ]
- State Farm Mutual Automobile Insurance Company v. The Privacy Commissioner of Canada et al., 2010 FC 736. [ Return to text ]
- Those statutes in the three provinces are: An Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1 (Quebec); Personal Information Protection Act, S.A. 2003, c. P-6.5 (Alberta); Personal Information Protection Act, S.B.C. 2003, c. 63 (British Columbia). [ Return to text ]
- Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A (Ontario). [ Return to text ]
- PIPEDA, s. 29. [ Return to text ]
- House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA): Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics, 1st Session, 39th Parliament, May 2007. [ Return to text ]
- Government of Canada, “Government Response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics: Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA),” 1st Session, 39th Parliament. [ Return to text ]
- Industry Canada (2011). [ Return to text ]
- Upon Royal Assent, Bill C-28 became An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23. [ Return to text ]
- For more information on Bill C-28, see Alysia Davies and Terrence J. Thomas, Legislative Summary of Bill C-28: An Act to promote the efficiency and adaptablility of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities (207 Kb, 23 pages), Publication no. 40-3-C28-E, Parliamentary Information and Research Service, Library of Parliament, Ottawa, 28 May 2010, revised 4 February 2011. [ Return to text ]
- The grounds for objection are limited to the national security exemptions; the detection, prevention or deterrence of money laundering or of financing of terrorist activities; and/or the law enforcement exemption. [ Return to text ]
- House of Commons, Debates, 3rd session, 40th Parliament, 26 October 2010, 1615 (Honourable Tony Clement, Minister of Industry). [ Return to text ]
- Ibid. (Claude Gravelle), 1630 and 1635. [ Return to text ]
- Ibid. (Joseph Volpe), 1635 and 1640. [ Return to text ]
- Ibid. (Carole Freeman), 1710. [ Return to text ]
- Daniel Tencer, “Canada Privacy Law: Amendment Mimics USA Patriot Act, Critics Charge,” The Huffington Post Canada, 30 September 2011. [ Return to text ]
- See, for example, David Canton, “Changes to privacy laws vague,” The London Free Press, 28 June 2010; David Sulz, “Privacy bill might need more teeth,” The Lethbridge Herald, 1 June 2010. [ Return to text ]