Updated Apr. 8, 2014 at 5:19pm ET by Candice So to include comments from the Privacy Commissioner of Canada.

Businesses and organizations will be formally required to tell individual customers and the Privacy Commissioner of Canada if they’ve suffered a data breach – or pay up to $100,000 in fines for every individual not told, according to the new Digital Privacy Act, or Bill S-4, tabled in the Senate today.

Released today, the act was touted as an update to the Personal Information Protection and Electronic Documents Act. It requires organizations to tell individuals if they’ve lost any personal information, and if they could be targeted for risks like identity theft. They will also have to give individuals advice on next steps in protecting themselves, and they will have to inform the federal privacy commissioner about the data breach.

Fines kick in if companies deliberately avoid informing individuals or the commissioner. This means organizations need to keep records of all the data breaches they’ve experienced, and have it ready to give to the privacy commissioner if asked.

Plus, the Digital Privacy Act also has some implications for an organization’s reputation. It “will provide more flexibility” for the privacy commissioner to publicly reveal the names of organizations that don’t comply with the new legislation.

Under the act, the commissioner will be able to negotiate with organizations to get them to comply. It will also give the commissioner and other complainants a window of up to one year after an investigation ends to ask the Federal Court of Canada to order compliance or to award damages to individuals who have been harmed through a data breach.

“I am pleased that the government has heard our concerns and has addressed issues such as breach notification, enforceable agreements with companies, enhanced powers and stronger compliance incentives,” said interim Privacy Commissioner of Canada Chantal Bernier, in an emailed statement.

“In particular, I welcome proposals with respect to mandatory breach notification, new penalties and provisions that will make it easier for my Office to ensure that companies carry through on commitments they have made during investigations,” she added. “I am also pleased that we will have greater discretion to publicly share more information with Canadians about our investigations.”

The privacy commissioner’s office will be studying the bill and sharing comments with Parliament when the bill comes forward for debate.

“The measures in this act today, especially in informing customers once their data has been breached – these are welcome steps that will go some distance towards improving the commercial privacy of Canadians,” says David Christopher, communications manager of OpenMedia.ca.

“Certainly I know privacy advocates have been waiting for some time to empower the privacy commissioner to levy monetary penalties against companies or organizations that do breach Canadians’ privacy.”

However, he says his issue with the bill is it doesn’t provide any mention of the federal government’s own surveillance of Canadians’ online activities, adding it’s “incoherent” of the Conservatives to put these measures in place for commercial activities, but not government ones.

The Digital Privacy Act comes as a fulfilment to Industry Minister James Moore’s promise to unveil new measures to bolster Canadian consumers’ right to privacy, made during an announcement in Waterloo, Ont. last week.

Other pieces of the act include cutting down on red tape, allowing businesses to collect, use, and share data to manage their employees and do due diligence when they acquire another company or process insurance claims.

Share on LinkedIn Comment on this article Share with Google+
Around the Web
More Articles

  • Murray_B

    What good can come from telling customers about data breaches when many agreements contain clauses like the one in my credit card agreement? The agreement reads in part, “[...] if someone uses your Card or Card Account and PIN, Account Password, or Cardholder Password to obtain the benefits of your Card (either because you intentionally disclosed it to them or otherwise), the Primary Cardholder(s) will be fully responsible for all debt incurred [...]”

    This appears to make me responsible for losses caused by breaches to their system. What good will it do to inform me about the breach if I am responsible for all losses anyway?

    • cynique

      That clause only says that if your card is used, the credit card company isn’t responsible if you give your card to someone, lose the card, or if a third party loses your data.
      Separate terms exist, or civil law applies should the credit card company lose your data, one assumes that a credit card company would be somewhat…expeditious in ‘cancelling’ any card whose data they had exposed. Bill S-4 prevents them from claiming it was “your fault” as they are required to inform both you and the Privacy Commissioner of a breach.

      • Murray_B

        Thanks for the response but I do not understand how S-4 can prevent anything. If laws prevented crimes then wouldn’t we live in a crime-free society? The word “otherwise” in the agreement is clear and unambiguous and means they are not responsible. If they refuse to cover the loss then all the cardholder can do is sue and hope to win. That does not sound like a fair fight to me and could add thousands to the cardholders’ losses.

        • cynique

          I think the key phrase here is “either because YOU intentionally disclosed it to them or otherwise”, my emphasis on the “YOU”. This clause does not apply in situations where the issuing credit card company exposes your data, only in cases where you, or a third party (who is in effect, your agent) cause your card data to be exposed.

          You’re right, laws don’t “prevent” crime, one can only hope that they “deter” crime…we are a flawed species.

  • nomad411

    So, government breaches good, all others costly.