Privacy & Information Security Law Blog

On May 25, 2010, two privacy-related bills were introduced in the Parliament of Canada: the Fighting Internet and Wireless Spam Act (“FISA” or Bill C-28) and the Safeguarding Canadians’ Personal Information Act (Bill C-29) amending the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Bill C-29 is the long-awaited government response to the five-year mandatory review of PIPEDA.  The centerpiece of the bill is a new disclosure provision for security breaches related to personal information.  Key elements in the security breach notification proposal include:

• Any “material breach of security safeguards involving personal information” would have to be reported to the Privacy Commissioner of Canada.
• A determination of whether the breach is “material” would be made by the entity, based on the sensitivity of the information, the number of individuals affected and whether there is a systemic problem.
• Notification would have to be made “as soon as feasible” individuals affected by the breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
• A determination of whether there is a “real risk” would be made by the entity, based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused.

In addition, the bill proposes other amendments to PIPEDA, including changes related to protecting the privacy of minors and other vulnerable individuals online.

Bill C-28, the anti-spam legislation, is a re-titled and re-introduced version of Bill C-27, which was unanimously passed by the House of Commons in November 2009, but died when Prime Minister Stephen Harper prorogued Parliament.  FISA is largely aimed at deterring spam email from being sent or received in Canada, and at driving spammers out of the country.  The bill also proposes “a private right of action” modeled on U.S. legislation that “would allow consumers and businesses to take civil action against anyone who violates the FISA” according to Industry Canada.  FISA establishes a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce, and features a technology-neutral approach that would treat all forms of commercial electronic messages, including text messages, equally.

Both bills must go through a number of specific stages in the House of Commons and the Senate before they can be approved and become law.