The Safeguarding Canadians’ Personal Information Act – Bill C-29

I am hoping that two consecutive blogs about pending legislation doesn’t mean this is turning into a political blog.  But the introduction of the bill this week caught me by surprise and it looks like it might have a few tidbits that will be of interest to many of my clients.


The bill contains numerous amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).  There are some definitional amendments that exempt business contacts from some of the sections and a few other minor changes.  But most notably, the bill features a provision that requires an organization who has experienced a security breach to report that breach to the federal privacy Commissioner.  While this seems to strengthen the existing privacy framework and provide greater comfort for those of us who divulge our personal information to various organizations on a daily basis, some critics have complained that the provisions are comparatively weak.


The concern is that the bill will create a false sense of comfort where an illusion of transparency is created, but that the lack of significant penalties will not engender compliance.  I don’t think that’s a fair criticism.


I think generally speaking, Canada’s experience with privacy laws has been a positive one.  Although our overall framework carries little in the way of penalties for organizations that do not meet their responsibilities with respect to the personal information that they collect, store and transmit, my experience has been that businesses take the laws very seriously.


We have worked with various types of businesses, in creating and implementing privacy policies and in ensuring that ongoing practices are compliant with not only PIPEDA, but the OECD core privacy principles themselves.


As the privacy landscape evolves, I am confident that business will evolve likewise.  And as the ongoing – and very public – experience of Facebook has shown, compliance is not only a matter of avoiding statutory penalties, it is a matter of making a good name for yourself in an area of increasing importance to consumers.


If you have any questions about your current privacy practices or the statutory and common law landscape in this area, please contact me.


Scott R. Young