Digital Privacy Act (Bill S-4) now law

The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.

One of the most important parts of the Bill is a new mandatory Federal security breach notification regime. This aspect of the law, which will come into force when regulations are finalized, is part of a package of laws promulgated or announced by the Government to deal with the massive problems associated with cybersecurity. Other recently enacted or announced proposed laws that also deal with various aspects of cybersecurity are

  • Bill S-13 – Protecting Canadians from Online Crime Act (Dec. 2014), which, among other things, modernized computer related offenses and broadened the powers to gather electronic evidence;
  • Bill C-51 – Anti-Terrorism Act 2015 (June 2015), which, among other things, permits disclosure of information between government institutions in respect of activities that undermine the security of Canada; and also permits CSIS to obtain judicial warrants permitting it to take steps which may violate the Canadian Charter of Rights and Freedoms if a particular activity constitutes a threat (including a cybersecurity threat) to the security of Canada;
  • Canada’s anti-spam law (CASL) which addresses, among other things,  both malicious computer code and unwanted emails;
  • Measures announced in the Government’s Economic Action Plan 2015 to protect vital cyber systems.

The Digital Privacy Act is not without flaws. I pointed some out in a prior blog post and in a submission I made to the Standing Committee on Industry, Science and Technology (the INDU Committee) studying Bill S-4.

One area that will be the most challenging will be complying with the amendments to the consent provisions in PIPEDA. Section 6.1 now reads as follows:

For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

As I noted previously this amendment “would inevitably result in some policies being viewed as too complicated for some groups to understand and not comprehensive enough for others, with other demographics in between. It would also inexorably result in privacy policies and practices, viewed acceptable elsewhere around the world, being found non-compliant with this new Canadian standard for consent.”

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

COVID-19 and privacy: artificial intelligence and contact tracing in combatting the pandemicCOVID-19 and privacy: artificial intelligence and contact tracing in combatting the pandemic



COVID-19 is having a debilitating effect on people’s health and their economic well-being. People are being forced by social distancing/isolating edicts and provincial emergency closure orders to stay home. As we slowly look like we may be emerging from the first wave of this health and economic emergency, people are ...

Supreme Court rules on whether access laws apply to records of PMO but not which records are personal informationSupreme Court rules on whether access laws apply to records of PMO but not which records are personal information



The Supreme Court released its reasons Friday in an important appeal in which the Court had to decide whether citizens can demand disclosure of records located in the offices of the Prime Minister, Ministers of the Crown, the RCMP and PCO under the Access to Information Act. In Canada (Information ...

The “Right to be Forgotten” Guideline from the Article 29 Working PartyThe “Right to be Forgotten” Guideline from the Article 29 Working Party



In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they ...

%d bloggers like this: