Digital Privacy Act (Bill S-4) now law

The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.

One of the most important parts of the Bill is a new mandatory Federal security breach notification regime. This aspect of the law, which will come into force when regulations are finalized, is part of a package of laws promulgated or announced by the Government to deal with the massive problems associated with cybersecurity. Other recently enacted or announced proposed laws that also deal with various aspects of cybersecurity are

  • Bill S-13 – Protecting Canadians from Online Crime Act (Dec. 2014), which, among other things, modernized computer related offenses and broadened the powers to gather electronic evidence;
  • Bill C-51 – Anti-Terrorism Act 2015 (June 2015), which, among other things, permits disclosure of information between government institutions in respect of activities that undermine the security of Canada; and also permits CSIS to obtain judicial warrants permitting it to take steps which may violate the Canadian Charter of Rights and Freedoms if a particular activity constitutes a threat (including a cybersecurity threat) to the security of Canada;
  • Canada’s anti-spam law (CASL) which addresses, among other things,  both malicious computer code and unwanted emails;
  • Measures announced in the Government’s Economic Action Plan 2015 to protect vital cyber systems.

The Digital Privacy Act is not without flaws. I pointed some out in a prior blog post and in a submission I made to the Standing Committee on Industry, Science and Technology (the INDU Committee) studying Bill S-4.

One area that will be the most challenging will be complying with the amendments to the consent provisions in PIPEDA. Section 6.1 now reads as follows:

For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

As I noted previously this amendment “would inevitably result in some policies being viewed as too complicated for some groups to understand and not comprehensive enough for others, with other demographics in between. It would also inexorably result in privacy policies and practices, viewed acceptable elsewhere around the world, being found non-compliant with this new Canadian standard for consent.”

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright and privacy bills to be introduced in House of CommonsCopyright and privacy bills to be introduced in House of Commons



The Government will likely introduce new Bills to amend the Copyright Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) within the next few days. The Parliament of Canada Notice Paper for Wednesday September 28, 2011 provides notice that the Minister of Industry and Minister of State (Agriculture) will introduce ...

Developments in computer, Internet and e-commerce law: the year in review (2018-2019)Developments in computer, Internet and e-commerce law: the year in review (2018-2019)



I gave my annual presentation yesterday to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covers the period from June 2018 to June 2019. The developments include cases from Canada, the U.S. the U.K., EU, Australia, South Africa, India and other countries. ...

Long arm of EU privacy law: CJEU judgment in Weltimmo v HatóságLong arm of EU privacy law: CJEU judgment in Weltimmo v Hatóság



The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad ...

%d bloggers like this: