In addition to the breach notification requirement discussed in Part I, Bill C-12 also proposes a number of other smaller amendments to PIPEDA which will be of interest to Canadian businesses. Many of those changes would serve to formalize or clarify existing duties and exceptions under PIPEDA.
Here is a quick summary of these other amendments to Bill C-12:
1. New exemptions for prospective and completed business transactions
In addition to the existing exceptions that allow for use and disclosure of personal information without the consent of individuals to whom the information pertains, Bill C-12 will further allow use and disclosure of personal information required for prospective and completed business transactions.
The new s.7.2(1) of PIPEDA would allow organizations that are parties to a prospective business transaction to use and disclose personal information without the knowledge and consent of the individuals if:
1. the organizations have entered into an agreement that requires the organization that receives the personal information:
- to use and disclose that information solely for purposes related to the transaction,
- to protect that information by security safeguards appropriate to the sensitivity of the information, and
- if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and
2. the personal information is necessary
- to determine whether to proceed with the transaction, and
- if the determination is made to proceed with the transaction, to complete it
Once the transaction has been completed, the organization acquiring the personal information may use it under the same conditions for which it was collected, subject to notifying the individuals to whom the information pertains within a reasonable time after the transaction is completed.
Note that these new provisions are intended for situations where one organization is acquired by another and do not apply where the primary purpose of the transaction is the sale, lease or other disposition of personal information.
This change will come as welcome news to businesses, as it will make the due diligence process involved in buying and selling a business easier. This change also brings PIPEDA into alignment with the private sector privacy legislation in Alberta and BC, which have a similar exemption.
2. Exclusion of certain business contact information from PIPEDA
Under Bill C-12, an individual’s business contact information will be excluded from the application of PIPEDA if that information is collected used or disclosed solely to communicate with the individual in the business context.
Bill C-12 defines “business contact information” to mean an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.” This change also would bring PIPEDA inline with the BC and Alberta private sector privacy statutes.
PIPEDA currently only exempts the name, title or business address or telephone number of an employee of an organization. The Privacy Commissioner of Canada had previously ruled on a number of occasions that “business address” in that context did not include a person’s business e-mail address. This new exception would allow the use of a person’s business e-mail address in the business context. However, any use of an e-mail address will also have to comply with the new Canadian anti-spam law (CASL), once that legislation is proclaimed in force.
3. Guidance on the elements of valid consent
PIPEDA does not contain a specific definition of “consent” beyond the guidelines found under Principle 3 of the statute’s Model Code.
Bill C-12 would amend the body of PIPEDA by inserting a clause that provides some guidance on what constitutes “consent” under the Act. It specifies that “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.”
While some guidance on the meaning of consent is welcome, ensuring that an individual understands the “nature, purpose and consequences” could be difficult to satisfy, and may impose additional requirements on businesses. Businesses should review and update their sign-up form and website language to ensure compliance with this new standard.
4. New permitted disclosures
Bill C-11 adds new exceptions to s. 7(3) of PIPEDA and allows the disclosure of personal information, without the consent of the individual to whom the information pertains, for the purposes of:
- identifying an injured, ill or deceased individual and communicating
with their next of kin,
- performing police services,
- preventing, detecting or suppressing fraud, or
- protecting victims of financial abuse
These new exceptions will allow limited uses of personal information in situations where it is impractical or impossible to obtain consent.
5. New exceptions for employment relationships with federal works, undertakings and businesses
Bill C-12 also creates a new exception that allows a federal work, undertaking or business to collect, use and disclose personal information of an individual without consent in order to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual.
This too will be a welcome change for federally-regulated employers, who will now have the same flexibility with regards to employment-related information as employers operating in the private sector.