new canadian privacy and anti-spam laws – updated again

Update 2: Here is a redline showing the changes from the November, 2009 version of ECPA to the May 25 version of FISA, in Word and PDF. The Word version shows the wording of some existing provisions which FISA is amending. You’ll need to scroll over to the right starting around s. 70 to see them. Not included in the PDF version. Doesn’t look like much has changed. Happy reading.

Update: Links to the bills added. See also comments and observations from Barry Sookman, Michael Geist (one on FISA and the other on SCPIA) and David Canton. Mostly just initial observations, except for Mr. Geist’s post on SCPIA. His nickname for the bill (the “Anti-Privacy Privacy Bill”) should give you an idea of his thoughts on it.

Yesterday the federal government announced the tabling of two new significant pieces of legislation. The first is the Fighting Internet and Wireless Spam Act, which has been acronymed as “FISA”. And no, I don’t know why they dropped the W. Maybe easier to pronounce? As many readers probably know, this is the rechristened Electronic Commerce Protection Act that died last year when Parliament was prorogued. In addition to the catchier name, there were a few substantive tweaks to the law. You can read the rather long winded press release though the link above. Alternatively, here’s the point form version:

  • fairly strict and comprehensive approach to unsolicited commercial e-mail (i.e. spam), described as “multi-faceted”
  • enables government agencies to share information with international counterparts to pursue foreign violators
  • sizeable fines for violations – up $1 million for individuals and $10 million for businesses ($15 million in certain cases) for each violation
  • allows businesses and consumers to sue spammers directly, modelled on U.S. laws
  • technology neutral – spam, spim, junk faxes, robocalls – all treated the same

The second piece of legislation are amendments to the existing Personal Information Protection and Electronic Documents Act (or PIPEDA). Doesn’t quite roll off the tongue as nicely as FISA. [Update: The amending act is actually nicely entitled the Safeguarding Canadians’ Personal Information Act which is somewhat sexier.] Point form summary:

  • breach notification requirement – must notify privacy commissioner for material breach and individuals if risk of harm
  • enhanced consent requirements to ensure people (particularly minors) clearly understand the consequences of sharing personal information
  • exceptions added to help people (financial abuse, missing persons, identify dead people)
  • exceptions added for business contact information and to manage employees, information produced for work purposes and due diligence in acquisitions and similar corporate transactions
  • exceptions added for private sector investigations and fraud prevention
  • prohibitions on notifying individuals in connection with disclosure of personal information to law enforcement agencies

More to come in due course.