This is the title of a client update that we published today, co-authored by me and my colleague Paul Broad. Here’s our conclusion section on the significance of Bill c-29 to our clients:
Many of the proposed substantive amendments to PIPEDA are changes that would be welcome to organizations regulated by the Act as they clarify ambiguities and address practical issues not contemplated by the original legislation.
Some may argue that PIPEDA has been a “paper tiger” since it came into force. Very few organizations subject to the Act have been compelled to answer a PIPEDA complaint, and far fewer have had to respond to a PIPEDA application in the Federal Court. Some have compared PIPEDA’s status to that of provincial and federal human rights legislation, but it has not given rise to nearly the same impact nor has it been the source of the same degree of operational risk.
Bills C-29 and C-28 could change this. Though the administrative procedure for handling PIPEDA complaints would largely remain the same – indeed, the Commissioner would actually be granted a greater discretion to decline to deal with complaints – the new data breach reporting and notification duties could cause organizations to engage with individuals about matters regulated by PIPEDA in a manner that many have not yet done. This engagement would come with the significant costs of notification. Even more significantly, it would come post-breach, when organizations are vulnerable and large groups of individuals are upset.
Organizations should think about engaging with individuals proactively, before a breach occurs. This includes implementing systems and processes that would allow them to confidently answer the questions that might be asked by individuals who are notified of a data breach. Organizations who can answer those questions may be able to disarm aggravated individuals and avoid, or at least reduce, the chance of irreconcilable conflict.
For the full update, click here.