Bill C-475: An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power)

C-475 First Session, Forty-first Parliament, 60-61-62 Elizabeth II, 2011-2012-2013 HOUSE OF COMMONS OF CANADA BILL C-475 An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power) first reading, February 26, 2013 NOTE 2nd Session, 41st Parliament This bill was introduced during the First Session of the 41st Parliament. Pursuant to the Standing Orders of the House of Commons, it is deemed to have been considered and approved at all stages completed at the time of prorogation of the First Session. The number of the bill remains unchanged. Ms. Borg 411668 SUMMARY This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things, give the Privacy Commissioner the power to make compliance orders and the Federal Court the power to impose fines in cases of non-compliance. Available on the Parliament of Canada Web Site at the following address:http://www.parl.gc.ca 1st Session, 41st Parliament, 60-61-62 Elizabeth II, 2011-2012-2013 house of commons of canada BILL C-475 An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power) 2000, c. 5 Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows: 1. The Personal Information Protection and Electronic Documents Act is amended by adding the following after section 10: Definition of “harm” 10.01 (1) For the purposes of this section and section 10.02, “harm” includes bodily harm, humiliation, embarrassment, injury to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, identity fraud, negative effects on credit rating and damage to or loss of property. Notice to Commissioner (2) An organization having personal information under its control shall notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access. Relevant factors (3) The factors that are relevant in determining whether a loss or disclosure of, or unauthorized access to, personal information would be considered by a reasonable person as creating a risk of harm are (a) the sensitivity of the personal information; and (b) the number of individuals whose personal information was involved. Notification to be made without unreasonable delay (4) The notification must be made without unreasonable delay after the discovery of the loss or disclosure of, or unauthorized access to, personal information. Notification requirements (5) The notification must contain the information and be made in the form prescribed in the regulations or otherwise specified by the Commissioner. Commissioner’s assessment of risk 10.02 (1) Upon the receipt of the notification referred to in subsection 10.01(2), the Commissioner may require the organization to notify affected individuals to whom there is an appreciable risk of harm as a result of the loss or disclosure of, or unauthorized access to, person- al information. Obligation to notify affected individuals (2) If the Commissioner determines that the loss or disclosure of, or unauthorized access to, personal information is likely to result in an appreciable risk of harm to the affected individuals, the Commissioner shall, as soon as feasible, order the organization to notify the affected individuals without unreasonable delay. Notification by an organization (3) Nothing precludes an organization from notifying affected individuals of the loss or disclosure of, or unauthorized access to, person-al information on its own initiative; in which case, the organization shall, without delay, inform the Commissioner that it has done so. Notification requirements (4) The notification to the affected individ-uals of the loss or disclosure of, or unauthorized access to, personal information shall include (a) a report of the risk of harm as it pertains to the affected individuals; (b) instructions for reducing the risk of harm or mitigating that harm; and (c) any other prescribed information. Form and manner of notification (5) The notification shall be clear and delivered directly to the individual in the prescribed form and manner. Notification of compliance (6) Once the organization has complied with the notification order referred to in subsection (2), it shall notify the Commissioner of that fact. 2. The Act is amended by adding the following after section 12.1: Compliance order 12.11 Upon completion of an investigation of a complaint, the Commissioner may order the organization that is the object of the complaint to take the necessary actions to comply with this Act, which may include (a) correcting its practices in order to comply with sections 5 to 10, including by (i) fulfilling any obligation under the Act, (ii) destroying data, (iii) ceasing to collect, use or disclose personal information, and (iv) deleting or adding a record; and (b) publishing a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a). Time limit 12.12 The Commissioner shall establish a time limit for the implementation of any order made under section 12.11. Extension of time limit 12.13 (1) Upon a request by the organization that is the object of the complaint, the Commissioner may extend the time limit for the implementation of the order at any time throughout the implementation period established by the Commissioner. Extension of time limit only granted once (2) The extension of the time limit may only be granted once. 3. (1) Paragraph 13(1)(a) of the Act is replaced by the following: (a) the Commissioner’s findings, recommendations and any order made under section 12.11; (2) Subsection 13(1) of the Act is amended by striking out “and” at the end of paragraph (c), by adding “and” at the end of paragraph (d) and by adding the following after paragraph (d): (e) a time limit on the implementation of any order made under section 12.11. 4. The Act is amended by adding the following after section 16: Right of action ―Commissioner 16.1 (1) If the Commissioner determines that the organization has not complied with the orders made under section 12.11 within the time limit established in section 12.12, or orders made under subsection 10.02(2) or 19(1), the Commissioner shall have a right of action against the organization. Factors (2) The Court shall consider the following factors when determining what penalty to impose on the organization: (a) the number of orders not complied with by the organization; (b) whether the organization is commercial or non-commercial; and (c) whether the organization took reasonable measures under the circumstances to comply with the orders of the Commissioner. Monetary penalty (3) The organization which fails to comply with an order issued under section 12.11 or subsection 19(1) may be subject to a single monetary penalty of no more than $500,000. Punitive damages (4) The organization which fails to comply with an order made under subsection 10.02(2) may be subject to punitive damages imposed by the Court. Right of action 16.2 If the Commissioner has issued an order under section 12.11 and the order has become final as a result of there being no further extension of the time limit under section 12.13, any individual affected by any violation of this Act specified in the order has a right of action against the organization for damages or loss suffered as a result of the non-compliance of the organization with its obligations under this Act. 5. Subsection 19(1) of the Act is replaced by the following: Report ― findings, recommendations and orders 19. (1) After an audit, the Commissioner shall provide the audited organization with a report that contains the findings of the audit and any recommendations and orders that the Commissioner considers appropriate. Published under authority of the Speaker of the House of Commons