Bill C-413: An Act to amend the Personal Information Protection and Electronic Documents Act (compliance with obligations)

Bill C-413 If you have any questions or comments regarding the accessibility of this publication, please contact us at [email protected]. LEGISinfo First Reading Bilingual view XML PDF Skip to Document Navigation Skip to Document Content Personal Information Protection and Electronic Documents Act First Session, Forty-second Parliament, 64-65-66-67 Elizabeth II, 2015-2016-2017-2018 HOUSE OF COMMONS OF CANADA BILL C-413 An Act to amend the Personal Information Protection and Electronic Documents Act (compliance with obligations) FIRST READING, June 20, 2018 Mr. Erskine-Smith 421526 SUMMARY This enactment amends the Personal Information Protection and Electronic Documents Act to expand the grounds on which the Privacy Commissioner may decide not to investigate a complaint. It also authorizes the Privacy Commissioner to make orders directing an organization to take any action that, in the Commissioner’s opinion, is reasonable to ensure compliance with the organization’s obligations under the Act. Finally, this enactment provides that an organization that is found to have failed to comply with certain obligations under the Act is liable to a fine. Available on the House of Commons website at the following address: www.ourcommons.ca 1st Session, 42nd Parliament, 64-65-66-67 Elizabeth II, 2015-2016-2017-2018 HOUSE OF COMMONS OF CANADA BILL C-413 An Act to amend the Personal Information Protection and Electronic Documents Act (compliance with obligations) Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows: 2000, c. 5 Personal Information Protection and Electronic Documents Act 1 Subsection 12(1) of the Personal Information Protection and Electronic Documents Act is amended by striking out “or” at the end of paragraph (b), by adding “or” at the end of paragraph (c) and by adding the following after paragraph (c): (d) having regard to all the circumstances, an investigation is not necessary or reasonably practicable. 2 Paragraph 12.‍2(1)‍(f) is replaced by the following: (f) any of the circumstances mentioned in paragraphs 12(1)‍(a) to (d) apply; or 3 The Act is amended by adding the following after section 12.‍2: Compliance Orders Compliance orders 12.‍3 (1) On completing an investigation, if the Commissioner is of the opinion that the organization that is the object of the investigation has contravened a provision of Division 1 or 1.‍1 or has not followed a recommendation set out in Schedule 1, he or she may, by order, direct the organization to do, or to refrain from doing, anything that, in the Commissioner’s opinion, is reasonable and necessary in order to ensure compliance with Division 1 or 1.‍1 or Schedule 1. Conditions (2) The Commissioner may specify any conditions in the order that he or she considers appropriate. Copy of order (3) The Commissioner shall give a copy of the order to the organization concerned and, if the investigation was conducted in respect of a complaint filed by an individual, to that individual. Compliance (4) The organization shall comply with the order within the period specified by the Commissioner in the order or, on written application by the organization within the specified period, within any longer period that the Commissioner considers reasonable in the circumstances. Effect of filing (5) An order of the Commissioner under subsection (1) becomes an order of the Court when a certified copy of it is filed in that court, and it may subsequently be enforced as such. 4 The portion of subsection 13(1) of the Act before paragraph (a) is replaced by the following: Contents 13 (1) If the Commissioner decides not to make an order under subsection 12.‍3(1) in respect of a matter that is the object of an investigation, he or she shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that contains 5 Subsection 14(1) of the Act is replaced by the following: Application 14 (1) A complainant may, after receiving the Commissioner’s report, being notified under subsection 12(3) of a decision under paragraph 12(1)‍(d) that the complaint will not be investigated or being notified under subsection 12.‍2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.‍1.‍3,4.‍2,4.‍3.‍3,4.‍4,4.‍6,4.‍7 or 4.‍8 of Schedule 1, in clause 4.‍3,4.‍5 or 4.‍9 of that Schedule as modified or clarified by Division 1 or 1.‍1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.‍1. 6 The portion of subsection 18(1) of the Act before paragraph (a) is replaced by the following: Compliance 18 (1) The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization to verify compliance or prevent non-compliance with the provisions of Division 1 or 1.‍1or the recommendations set out in Schedule 1, and for that purpose may 7 The Act is amended by adding the following after section 28: Offence and punishment — organization 28.‍1 (1) Every organization that knowingly or recklessly contravenes section 5 is guilty of (a) an offence punishable on summary conviction and liable to a fine not exceeding $15 million; or (b) an indictable offence and liable to a fine not exceeding $30 million. Aggravating or mitigating factors (2) In determining the amount of a fine to be imposed under subsection (1), the court shall consider the following: (a) the size, resources and capacity of the organization; (b) the nature, gravity and duration of the contravention, taking into account the nature, scope or purpose of the organization’s activities as well as the number of individuals affected and any loss or damage suffered by them as a result of the contravention; (c) any measures taken by the organization to mitigate the loss or damage suffered by the individuals; (d) the history of compliance with this Act by the organization; (e) the extent to which the organization has cooperated with the Commissioner to remedy the contravention and mitigate its adverse effects; (f) the nature of the personal information in relation to which the offence was committed; and (g) any other relevant factor. Published under authority of the Speaker of the House of Commons Publication Explorer Publication Explorer ParlVU