In our April 2014 Charity Law Update, we reported that the
Federal Government introduced Bill S-4, the Digital Privacy Act, in the Senate on April 8, 2014. Bill S-4 has since undergone second reading on
May 8, 2014 and is scheduled to be debated by the Standing Committee on
Transport and Communications on May 28, 2014. This Charity Law Bulletin expands upon the information on Bill S-4 provided in April 2014 Charity Law
Update and provides greater detail about the provisions proposed in Bill
S-4 that may affect charities and not-for-profits if it receives Royal Assent
and is proclaimed into force.
B. BILL S-4, THE DIGITAL PRIVACY ACT
The Bill is very similar to previous legislation intended
to amend the Personal Information Protection and Electronic Documents Act (“PIPEDA”), such as the former Bill C-12 (September 2011) and Bill C-29 (May 2010). Similar to the previous legislation, the amendments proposed by
Bill S-4, if passed, will affect the way that charities and not-for-profits
disclose personal information which is subject to PIPEDA. Many activities of
charities and not-for-profits would not be considered “commercial activities”
and may be exempt from the application of PIPEDA. However, as there is no
categorical exemption for registered charities or not-for-profits, there are
many circumstances in which the law will apply to personal information
collected, used or disclosed by these types of organizations.
The amendments proposed by Bill S-4 would permit
organizations to disclose personal information to another organization without
the knowledge or consent of the individual where the disclosure is necessary to
investigate a breach of an agreement or a contravention of the laws of Canada
in circumstances where it would be reasonable to expect that disclosure with
the individual’s knowledge or consent would compromise the investigation.
Further, proposed amendments would permit disclosure of personal information to
other organizations where it would be reasonable in order to detect or suppress
fraud, or prevent fraud that is likely to be committed in circumstances where
it would be reasonable to expect that disclosure with the individual’s
knowledge or consent would compromise the ability to prevent, detect or
suppress the fraud.
As such, these proposed amendments would expand the
circumstances under which personal information could be disclosed without the
individual’s knowledge or consent, and would include both past breaches of
contract and violations of law as well as potential suspected violations of law
that could occur in the future.
The amendments would also permit organizations to disclose
personal information to an individual’s next of kin, authorized representative
or to a government institution without the knowledge or consent of the
individual where the organization believes that the individual has been the
victim of financial abuse. In such instances, the disclosure must also be made
solely for purposes related to preventing or investigating the suspected
financial abuse and it reasonably expected that disclosure with the knowledge
or consent of the individual would compromise the ability to prevent or
investigate the abuse.
If passed, Bill S-4 would also restrict organizations from
informing individuals that their personal information has been shared with
enforcement and security agencies where the government institution to whom the
information was disclosed objects. This includes situations involving
government institution requests for information under the national security,
law enforcement or policing services exemptions, including a request for
disclosure under the Proceeds of Crime (Money Laundering) and Terrorist
Bill S-4 also re-introduces new responsibilities under a
new Division 1.1, “Breaches of Security Safeguards”, such as notification
requirements which require reporting of breaches of security safeguards
involving personal information if it is reasonable in the circumstances to
believe that the breach creates a real risk of significant harm to an
individual. In such circumstances, and unless prohibited by law, Bill S-4 would
also require the notification of individuals where the security safeguards
involving their personal information were breached. Furthermore, in such
circumstances, organizations would also be required to notify other
organizations, government institutions or a part of a government institution of
the breach if the notifying organization believed that the other organization
or the government institution or part concerned would be able to reduce the
risk of harm that could result from it or mitigate that harm.
Also of note, Division 1.1 would grant greater authority
for enforcement of PIPEDA to the Federal Privacy Commissioner, providing it
with the authority to enter into compliance agreements with organizations to
ensure compliance particularly with provisions in Division 1 or recommendations
in Schedule 1 of PIPEDA regarding the protection of personal information. Once
a compliance agreement is entered into, the Commissioner would be prohibited
from applying for a section 14 of 15 court hearing, although other individuals
would not be precluded from applying for section 14 court hearings or from
being prosecuted for offences under PIPEDA.
Where the Commissioner is of the opinion that a compliance
agreement has been complied with, all section 14 and 15 applications will be
withdrawn. However, where an organization has not complied with the compliance
agreement, the Commissioner may apply to the court for an order to require the
organization to comply. Alternatively, the Commissioner may begin or reinstate
a section 14 or 15 hearing against a non-compliant organization.
Charities and not-for-profits are advised to monitor the
progress of Bill S-4. As technological means continue to be utilized by
charities and not-for-profits in their collection and handling of individuals’
personal information, the evolution of privacy laws will require continued
compliance efforts and monitoring of the organization’s information practices.