Updated Apr. 8, 2014 at 5:19pm ET by Candice So to include comments from the Privacy Commissioner of Canada.
Businesses and organizations will be formally required to tell individual customers and the Privacy Commissioner of Canada if they’ve suffered a data breach – or pay up to $100,000 in fines for every individual not told, according to the new Digital Privacy Act, or Bill S-4, tabled in the Senate today.
Released today, the act was touted as an update to the Personal Information Protection and Electronic Documents Act. It requires organizations to tell individuals if they’ve lost any personal information, and if they could be targeted for risks like identity theft. They will also have to give individuals advice on next steps in protecting themselves, and they will have to inform the federal privacy commissioner about the data breach.
Fines kick in if companies deliberately avoid informing individuals or the commissioner. This means organizations need to keep records of all the data breaches they’ve experienced, and have it ready to give to the privacy commissioner if asked.
Plus, the Digital Privacy Act also has some implications for an organization’s reputation. It “will provide more flexibility” for the privacy commissioner to publicly reveal the names of organizations that don’t comply with the new legislation.
Under the act, the commissioner will be able to negotiate with organizations to get them to comply. It will also give the commissioner and other complainants a window of up to one year after an investigation ends to ask the Federal Court of Canada to order compliance or to award damages to individuals who have been harmed through a data breach.
“I am pleased that the government has heard our concerns and has addressed issues such as breach notification, enforceable agreements with companies, enhanced powers and stronger compliance incentives,” said interim Privacy Commissioner of Canada Chantal Bernier, in an emailed statement.
“In particular, I welcome proposals with respect to mandatory breach notification, new penalties and provisions that will make it easier for my Office to ensure that companies carry through on commitments they have made during investigations,” she added. “I am also pleased that we will have greater discretion to publicly share more information with Canadians about our investigations.”
The privacy commissioner’s office will be studying the bill and sharing comments with Parliament when the bill comes forward for debate.
“The measures in this act today, especially in informing customers once their data has been breached – these are welcome steps that will go some distance towards improving the commercial privacy of Canadians,” says David Christopher, communications manager of OpenMedia.ca.
“Certainly I know privacy advocates have been waiting for some time to empower the privacy commissioner to levy monetary penalties against companies or organizations that do breach Canadians’ privacy.”
However, he says his issue with the bill is it doesn’t provide any mention of the federal government’s own surveillance of Canadians’ online activities, adding it’s “incoherent” of the Conservatives to put these measures in place for commercial activities, but not government ones.
The Digital Privacy Act comes as a fulfilment to Industry Minister James Moore’s promise to unveil new measures to bolster Canadian consumers’ right to privacy, made during an announcement in Waterloo, Ont. last week.
Other pieces of the act include cutting down on red tape, allowing businesses to collect, use, and share data to manage their employees and do due diligence when they acquire another company or process insurance claims.