Canadian Patriot Act introduced

Today a couple of changes to Canada’s privacy landscape were introduced under the infamous banner of “safety and security”. This will create significant changes to PIPEDA and FISA, Canada’s legislation around private sector privacy and spam respectively. I’ve been asked what this means, so I will try to summarize:

The changes introduced today to PIPEDA propose:

  • if your organization is breached, you will notify the federal privacy commissioner as well as individuals where there is a risk of harm.
  • a requirement that organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information. (It mentions children and the vulnerable, but no technical details on how this requirement would be implemented)
  • exceptions to allow for the release of personal information to help protect victims of financial abuse, to help locate missing persons and to identify injured, ill or deceased individuals (again, no details on technical implementation).
  • exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes (“work product”), and information used for due diligence in business transactions.
  • organizations will also be able to share and use business contact information that is required to conduct day-to-day business.
  • a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.
  • amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order.
  • new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

Today the Fighting Internet and Wireless Spam Act (FISA) was also reintroduced, which is anti-spam legislation. For more information, see the Marketwire press release