Carters Professional Corporation


Editor: Terrance S. Carter



By Terrance S. Carter & Colin J. Thurston *


In our April 2014 Charity Law Update, we reported that the Federal Government introduced Bill S-4, the Digital Privacy Act,[1] in the Senate on April 8, 2014. Bill S-4 has since undergone second reading on May 8, 2014 and is scheduled to be debated by the Standing Committee on Transport and Communications on May 28, 2014. This Charity Law Bulletin expands upon the information on Bill S-4 provided in April 2014 Charity Law Update and provides greater detail about the provisions proposed in Bill S-4 that may affect charities and not-for-profits if it receives Royal Assent and is proclaimed into force.


The Bill is very similar to previous legislation intended to amend the Personal Information Protection and Electronic Documents Act (“PIPEDA”),[2] such as the former Bill C-12[3] (September 2011) and Bill C-29[4] (May 2010).  Similar to the previous legislation, the amendments proposed by Bill S-4, if passed, will affect the way that charities and not-for-profits disclose personal information which is subject to PIPEDA. Many activities of charities and not-for-profits would not be considered “commercial activities” and may be exempt from the application of PIPEDA.  However, as there is no categorical exemption for registered charities or not-for-profits, there are many circumstances in which the law will apply to personal information collected, used or disclosed by these types of organizations.

The amendments proposed by Bill S-4 would permit organizations to disclose personal information to another organization without the knowledge or consent of the individual where the disclosure is necessary to investigate a breach of an agreement or a contravention of the laws of Canada in circumstances where it would be reasonable to expect that disclosure with the individual’s knowledge or consent would compromise the investigation. Further, proposed amendments would permit disclosure of personal information to other organizations where it would be reasonable in order to detect or suppress fraud, or prevent fraud that is likely to be committed in circumstances where it would be reasonable to expect that disclosure with the individual’s knowledge or consent would compromise the ability to prevent, detect or suppress the fraud.

As such, these proposed amendments would expand the circumstances under which personal information could be disclosed without the individual’s knowledge or consent, and would include both past breaches of contract and violations of law as well as potential suspected violations of law that could occur in the future.

The amendments would also permit organizations to disclose personal information to an individual’s next of kin, authorized representative or to a government institution without the knowledge or consent of the individual where the organization believes that the individual has been the victim of financial abuse. In such instances, the disclosure must also be made solely for purposes related to preventing or investigating the suspected financial abuse and it reasonably expected that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse.

If passed, Bill S-4 would also restrict organizations from informing individuals that their personal information has been shared with enforcement and security agencies where the government institution to whom the information was disclosed objects. This includes situations involving government institution requests for information under the national security, law enforcement or policing services exemptions, including a request for disclosure under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.[5]

Bill S-4 also re-introduces new responsibilities under a new Division 1.1, “Breaches of Security Safeguards”, such as notification requirements which require reporting of breaches of security safeguards involving personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. In such circumstances, and unless prohibited by law, Bill S-4 would also require the notification of individuals where the security safeguards involving their personal information were breached. Furthermore, in such circumstances, organizations would also be required to notify other organizations, government institutions or a part of a government institution of the breach if the notifying organization believed that the other organization or the government institution or part concerned would be able to reduce the risk of harm that could result from it or mitigate that harm.

Also of note, Division 1.1 would grant greater authority for enforcement of PIPEDA to the Federal Privacy Commissioner, providing it with the authority to enter into compliance agreements with organizations to ensure compliance particularly with provisions in Division 1 or recommendations in Schedule 1 of PIPEDA regarding the protection of personal information.  Once a compliance agreement is entered into, the Commissioner would be prohibited from applying for a section 14 of 15 court hearing, although other individuals would not be precluded from applying for section 14 court hearings or from being prosecuted for offences under PIPEDA.

Where the Commissioner is of the opinion that a compliance agreement has been complied with, all section 14 and 15 applications will be withdrawn. However, where an organization has not complied with the compliance agreement, the Commissioner may apply to the court for an order to require the organization to comply. Alternatively, the Commissioner may begin or reinstate a section 14 or 15 hearing against a non-compliant organization.


Charities and not-for-profits are advised to monitor the progress of Bill S-4. As technological means continue to be utilized by charities and not-for-profits in their collection and handling of individuals’ personal information, the evolution of privacy laws will require continued compliance efforts and monitoring of the organization’s information practices.


* Terrance S. Carter, B.A., LL.B., Trade-Mark Agent, is the managing partner of Carters Profession Corporation, and counsel to Fasken Martineau DuMoulin LLP on charitable matters. Colin J. Thurston, B.A., J.D. is an associate of Carters Professional Corporation and a registered trade-mark agent with the Canadian Intellectual Property Office. Colin practices at Carters’ Orangeville office in the areas of intellectual property, privacy and information technology. The authors would like to thank Adriel Clayton, B.A. (Hons), J.D., Student-at-Law, for assisting in the preparation of this bulletin.

[1] Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, 2nd Sess, 41st Parl (second reading 08 May 2014).

[2] Personal Information Protection and Electronic Documents Act, S.C. 2000, c 5.

[3] Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act, 1st Sess, 41st Parl.

[4] Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, 3rd Sess, 40th Parl.

[5] Proceeds of Crime (Money Laundering) Act, SC 2000, c 17.


DISCLAIMER: This Charity Law Bulletin is a summary of current legal issues provided as an information service by Carters Professional Corporation. It is current only as of the date of the Bulletin and does not reflect subsequent changes in the law. The Charity Law Bulletin is distributed with the understanding that it does not constitute legal advice or establish the solicitor/client relationship by way of any information contained herein. The contents are intended for general information purposes only and under no circumstances can be relied upon for legal decision-making. Readers are advised to consult with a qualified lawyer and obtain a written opinion concerning the specifics of their particular situation.
© 2014 Carters Professional Corporation