Page 44 - CCCA 239285 Magazine_Fall 2015
P. 44
{ LegaL innovation }
the new digitAl priVACY ACt:
Businesses should re-eVAluAte their risk
By Kirsten Thompson
Passed into law june 18, 2015, the Digital Privacy Act In both cases, notifcation must be made
(Bill S-4) introduces, among other things, signifcant fnes “as soon as feasible after the organization
determines that the breach has occurred.”
and mandatory breach notifcation (not yet in force) into the The “as soon as feasible” requirement is
Personal Information Protection and Electronic Documents Act. likely to be challenging for organizations in
the throes of a data breach, where facts are
moving targets and it takes weeks (some-
rganizations that handle personal in- about drafting new “consequence” state- times months) to understand what has
formation (PI) in the course of their ments, as these could come back to haunt happened. Organizations will be reluctant
oactivities will want to review their them in privacy complaints or privacy to provide anything too specifc for fear of
privacy policies and security safeguards. In litigation. litigation down the road and may in fact
light of the new power to levy signifcant Questions to ask yourself: Does your be required to issue multiple notices as an
monetary penalties, organizations (and organization direct its activities toward investigation evolves, leading to consumer
their boards of directors) should rethink “vulnerable” populations (e.g., minors, confusion and “breach fatigue.”
their allocation of risk around these issues. the elderly, recent immigrants or ESL Questions to ask yourself: Do you have
speakers)? Does your existing privacy a process to assess whether there is a “real
will prior consents still be valid? will policy or privacy statement use plain lan- risk of signifcant harm”? Do you know
new consents be required? guage? Does it address the “consequenc- how you would notify regulators and/or
The Act introduces a “sliding scale” of es” of your organization’s collection of individuals? Do you have a process to coor-
consent, which may render existing con- PI? A yes to the frst question or a no to dinate notifcations across multiple regula-
sents null. It states that “the consent of an the last two should have you thinking tors and/or outsourced handlers of PI? If
individual is only valid if it is reasonable about a review. you don’t have answers to these questions,
to expect that an individual to whom the it may be time to consider them.
organization’s activities are directed would mandatory notifcation to whom? And
understand the nature, purpose and conse- how quickly? how much are the new penalties? And
quences of the collection, use or disclosure The Act introduces new obligations with for what violations?
of the personal information to which they respect to breaches of security safeguards The Act introduces liability for knowingly
are consenting [emphasis added].” or a failure to establish those safeguards violating the notifcation requirements
The amended language appears to re- (although these will not be in force until (up to $100,000 per violation). It is un-
quire organizations to assess the sophis- regulations are passed). clear at this time whether a “violation”
tication of those who use their websites, Once in force, an organization will be will include a single incident (e.g., a single
apps, products and services to determine required to notify the Commissioner of failure to notify all individuals) or each
whether they understand what they are any breach of security safeguards involv- incident (e.g., each failure to notify each
reading and agreeing to. ing PI under its control if the breach cre- individual). Fines also attach to a failure
Most existing consents have been ob- ates a “real risk of signifcant harm to an to meet new record keeping obligations.
tained on the basis of “one size fts all” individual.” “Signifcant harm” is defned Faced with this new monetary liability,
privacy statements that address only the broadly and specifcally includes “hu- organizations should re-assess how they have
nature of the PI collected and how it will miliation [or] damage to reputation or allocated risk with respect to privacy issues.
be used. Few, if any, will address the new relationships.” Organizations will also be Questions to ask yourself: Does your
requirement that “consequences” be stated. required to notify potentially affected in- current approach to privacy refect the
Organizations will need to be cautious dividuals of such breach. possibility of signifcant monetary pen-
44 CCCa MaGazIne | FaLL 2015 auTOMne
