In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.
The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses. This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address. The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools.
The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions. The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.
The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.
The bill purports to clarify “lawful authority” (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn’t clarify much of anything.
Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority. The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.
By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.
In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).
Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.
http://www.michaelgeist.ca/content/view/5059/125/