On April 8, the federal government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private-sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation.
The initial focus has, unsurprisingly, centered on the new security breach disclosure requirements that would require organizations to disclose breaches that put Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The current bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order-making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.
Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.
The government is already working to expand warrantless disclosure of subscriber information to law enforcement with Bill C-13 (the “cyber-bullying bill”) including an immunity provision from any criminal or civil liability (including class-action lawsuits) for companies that preserve personal information or disclose it without a warrant. The law currently entrusts companies with a gatekeeper role since it permits them to either voluntarily disclose personal information as part of a lawful investigation or demand that law enforcement first obtain a court order. The immunity provision makes it more likely that disclosures will occur without a warrant since the legal risks associated with such disclosures are removed.
In light of revelations that telecom companies and Internet companies already disclose subscriber information tens of thousands of times every year without a court order, the immunity provision is enormously problematic. Yet it pales in comparison to the Digital Privacy Act, which would expand the possibility of warrantless disclosure to anyone, not just law enforcement. Bill S-4 proposes that:
“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation.”
Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies to both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).
When might this apply?
Consider the recent copyright case in which Voltage Pictures sought an order requiring TekSavvy to disclose the names and addresses of thousands of subscribers. The federal court established numerous safeguards to protect privacy and discourage copyright trolling by requiring court approval for any demand letters being sent to subscribers. If Bill S-4 were the law, the court might never become involved in the case. Instead, Voltage could simply ask TekSavvy for the subscriber information, which could be legally disclosed (including details that go far beyond just name and address) without any court order and without informing their affected customers.
In fact, the potential use of this provision extends far beyond copyright cases. Defamation claims, commercial battles, and even consumer disputes may all involve alleged breaches of agreements or the law. While the organization with the personal information (telecom companies, social media sites, local businesses) might resist disclosing information without a court order, the law would not require them to do so.
The resulting framework from C-13 and S-4 is stunning from an anti-privacy perspective:
- organizations could disclose subscriber or customer personal information without a court order to law enforcement with full legal immunity from liability
- organizations could disclose subscriber or customer personal information without a court order to any other organization claiming investigation of an actual or potential contractual breach or legal violation
- the disclosures would be kept secret from the affected individuals
- the disclosing organizations would be under no obligation to report on their practices or past disclosures
The government claims the Digital Privacy Act “will provide new protections for Canadians when they surf the web and shop online.” What it does not say is that the same bill will open the door to massive warrantless disclosure of their personal information.
- -
A version of this article appeared at michaelgeist.ca and is republished under a Creative Commons license.
[image via Ben Stanfield/Flickr]