Canada’s proposed Digital Privacy Act, aimed at helping Canadians protect their personal information online, exposes everyone from a tiny convenience store to a multinational corporation to onerous requirements they may not be able to meet, some privacy lawyers are warning.
One provision of Bill S-4 that’s sounding alarms, for example, is the mandatory reporting of all data security breaches to the Privacy Commissioner. That may not sound like a bad idea, but the legislation fails to distinguish between millions of credit cards being compromised and a document being left out overnight inside a locked office, says David Fraser at McInnes Cooper.
“If my firm had a clean-desk policy ... and I violated that policy, even though I have a lock on my door and there’s another set of locks before you can even get near my office ... I’d have to fill out a report. If you don’t provide all that information to the Privacy Commissioner, that’s an offence. You can be fined and actually go to jail.
“Now imagine you’re a bank and you’ve got 40,000 employees. If somebody leaves a file folder on their desk when they’re not supposed to, they have to report that to the privacy office and a report has to be done. It introduces an enormous administrative cost on to businesses, and I’m not sure businesses can even comply with it.”
It’s going to be interesting to see how the new law will work on cross-border data breaches, says Kirsten Thompson at McCarthy Tétrault LLP. “What generally happens is, the Canadian side of the problem is sacrificed to US concerns because of the US class-action litigation and fines levied by the Federal Trade Commission — which are in the millions. With the Digital Privacy Act, you’re going to have to rethink your risk-management program wholesale because with the Privacy Commissioner shifting from an ombudsman’s role to an enforcement role, you’re getting a jeopardy that’s equivalent to the US.”
Thompson believes the bill’s new consent threshold is also going to cause problems. The legislation stipulates that, in order for a person to consent to their information being collected and used, they must understand the “consequences of the activity” to which they are consenting.
While the aim is to protect children and other vulnerable groups, she says, there are questions about whether businesses serving a broad demographic can meet the new threshold. “At a high level, it might mean you have to draft multiple types of consent for whatever your audience is. It may mean you have to segregate certain sections of your site.” While that may be acceptable under the proposed new law, she says, “I don’t imagine it’s going to be acceptable to businesses.”
At the other end of the spectrum, says Fraser, S-4 is going to make it easier for businesses to share Canadians’ personal information in cases of an alleged contract breach or if they’re suspected of violating the law.
“That could include a Hollywood studio contacting an ISP for copyright infringement,” he says. “They could ask for customer names and addresses associated with IP addresses they’ve associated with file-sharing, for example. The service providers would legally be able to hand over that information, which I find troubling.”