new canadian privacy and anti-spam laws – updated again

Update 2: Here is a redline showing the changes from the November, 2009 version of ECPA to the May 25 version of FISA, in Word and PDF. The Word version shows the wording of some existing provisions which FISA is amending. You’ll need to scroll over to the right starting around s. 70 to see them. Not included in the PDF version. Doesn’t look like much has changed. Happy reading.

Update: Links to the bills added. See also comments and observations from Barry Sookman, Michael Geist (one on FISA and the other on SCPIA) and David Canton. Mostly just initial observations, except for Mr. Geist’s post on SCPIA. His nickname for the bill (the “Anti-Privacy Privacy Bill”) should give you an idea of his thoughts on it.

Yesterday the federal government announced the tabling of two new significant pieces of legislation. The first is the Fighting Internet and Wireless Spam Act, which has been acronymed as “FISA”. And no, I don’t know why they dropped the W. Maybe easier to pronounce? As many readers probably know, this is the rechristened Electronic Commerce Protection Act that died last year when Parliament was prorogued. In addition to the catchier name, there were a few substantive tweaks to the law. You can read the rather long winded press release though the link above. Alternatively, here’s the point form version:

  • fairly strict and comprehensive approach to unsolicited commercial e-mail (i.e. spam), described as “multi-faceted”
  • enables government agencies to share information with international counterparts to pursue foreign violators
  • sizeable fines for violations – up $1 million for individuals and $10 million for businesses ($15 million in certain cases) for each violation
  • allows businesses and consumers to sue spammers directly, modelled on U.S. laws
  • technology neutral – spam, spim, junk faxes, robocalls – all treated the same

The second piece of legislation are amendments to the existing Personal Information Protection and Electronic Documents Act (or PIPEDA). Doesn’t quite roll off the tongue as nicely as FISA. [Update: The amending act is actually nicely entitled the Safeguarding Canadians’ Personal Information Act which is somewhat sexier.] Point form summary:

  • breach notification requirement – must notify privacy commissioner for material breach and individuals if risk of harm
  • enhanced consent requirements to ensure people (particularly minors) clearly understand the consequences of sharing personal information
  • exceptions added to help people (financial abuse, missing persons, identify dead people)
  • exceptions added for business contact information and to manage employees, information produced for work purposes and due diligence in acquisitions and similar corporate transactions
  • exceptions added for private sector investigations and fraud prevention
  • prohibitions on notifying individuals in connection with disclosure of personal information to law enforcement agencies

More to come in due course.

alberta enacts breach notification requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.