The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.
One of the most important parts of the Bill is a new mandatory Federal security breach notification regime. This aspect of the law, which will come into force when regulations are finalized, is part of a package of laws promulgated or announced by the Government to deal with the massive problems associated with cybersecurity. Other recently enacted or announced proposed laws that also deal with various aspects of cybersecurity are
- Bill S-13 – Protecting Canadians from Online Crime Act (Dec. 2014), which, among other things, modernized computer related offenses and broadened the powers to gather electronic evidence;
- Bill C-51 – Anti-Terrorism Act 2015 (June 2015), which, among other things, permits disclosure of information between government institutions in respect of activities that undermine the security of Canada; and also permits CSIS to obtain judicial warrants permitting it to take steps which may violate the Canadian Charter of Rights and Freedoms if a particular activity constitutes a threat (including a cybersecurity threat) to the security of Canada;
- Canada’s anti-spam law (CASL) which addresses, among other things, both malicious computer code and unwanted emails;
- Measures announced in the Government’s Economic Action Plan 2015 to protect vital cyber systems.
The Digital Privacy Act is not without flaws. I pointed some out in a prior blog post and in a submission I made to the Standing Committee on Industry, Science and Technology (the INDU Committee) studying Bill S-4.
One area that will be the most challenging will be complying with the amendments to the consent provisions in PIPEDA. Section 6.1 now reads as follows:
For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
As I noted previously this amendment “would inevitably result in some policies being viewed as too complicated for some groups to understand and not comprehensive enough for others, with other demographics in between. It would also inexorably result in privacy policies and practices, viewed acceptable elsewhere around the world, being found non-compliant with this new Canadian standard for consent.”