On June 18, 2015 the Digital Privacy Act, which amends the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") received Royal Assent. Most provisions of the Digital Privacy Act are now in force. A copy of the provisions can be found here.

As previously discussed in this blog, the Digital Privacy Act makes a number of substantive and house-keeping amendments to PIPEDA, and is the end result of multiple legislative attempts over the past several years to make a number of updates to PIPEDA which, for the most part, were without serious controversy.

The major changes now in force are:

  1. Confirmation that employers of federally-regulated businesses have implicit consent to deal with their employee information in the context of the employment relationship; this mirrors similar provisions contained in the Personal Information Protection Act ("PIPA") of British Columbia and of Alberta.
  2. Introduction of a "business transaction" exemption into PIPEDA, similar to the exemption currently set out in PIPA; PIPEDA-regulated enterprises will now be able to utilize this exemption when buying or selling a business.
  3. Addition of an exemption permitting disclosure between organizations for the purpose of investigating a breach of agreement.
  4. A requirement that the effectiveness of a consent given to the organization must be considered subjectively in the context of the relevant audience.
  5. Clarification of the rules surrounding witness statements, business contact information and employee work product.

The most significant change being made by the Digital Privacy Act is not yet in effect, and will be brought into force by regulation at a future date. PIPEDA-regulated organizations will now be subject to a compulsory privacy breach reporting system, and a system of fines and penalties will be put in place for failure to comply. The relevant threshold will be the "real risk of significant harm" test currently used in Alberta's compulsory breach reporting regime, which has been in place for several years. The reporting system will involve both a report to the federal Privacy Commissioner, and a report to the affected individuals. Regulations will need to be developed and finalized to support this system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.