The New Canadian Digital Privacy Act (Bill S-4)

The government of Canada has introduced a bill to amend PIPEDA on privacy matters. The bill appears to be largely the same as Bill C-29 from 2010. It imposes a duty on organizations that have custody of personal information to disclose to the Privacy Commissioner and to affected individuals the fact of any breach of security affecting that personal information, if the breach creates a ‘significant risk of serious harm’ to the individual. Both terms (significant risk and serious harm are defined, or at least given more flavour, in the bill.)

(7) For the purpose of this section, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor.

Do these changes seem constructive to you? Are they headed in the right direction?

In many ways they are consistent with the Uniform Protection of Privacy (Breach Notification) Act adopted by the ULCC in 2010. (The report of the Working Group that precedes the Uniform Act canvasses some of the issues raised as well by the federal bill.)

The occasions on which holders of personal information may legally disclose the information have been expanded as well, also consistently with the 2010 proposals.

Bill C-29 was criticised by Michael Geist when it appeared, and those criticisms probably apply to the new bill.

Other, or additional, views?


  1. David Collier-Brown

    I have a niggle: substitute “impersonation” for “identity theft”. The former is well-defined and is understood to neither require nor suggest negligence on the part of the victim.

    Identity theft, on the other hand, has been used in the UK as part of an argument that a bank was not liable for an impersonation, as the victim was (necessarily?) at fault.

    [ain’t english wunnerfull?]