Legislative Alert: Bill S-4, an Act to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) passed in House of Commons.

Today, June 18, 2015, Bill S-4, the Digital Privacy Act was passed by Canada’s House of Commons vote. Bill S-4 was previously passed by Canada’s Senate.

The Digital Privacy Act includes important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These include:

Mandatory Breach Notification

When the amendments come into force (on a date yet to be determined), Canada will have a new federal data breach reporting law. An organization will be required to notify the Office of the Privacy Commissioner of Canada following a breach of security safeguards involving personal information under its control when there is a real risk of significant harm to individuals from the breach. Organizations will also be required to notify affected individuals in these circumstances.

Record Keeping

An organization will also be required to keep records of each and every breach of security safeguards involving personal information under its control and, upon request, provide the Office of the Privacy Commissioner, with access to that record.

Bill S-4 provides other provisions and amendments, including compliance agreements and fines, which Timothy Banks of Dentons LLP previously discussed [http://www.privacyanddatasecuritylaw.com/canadas-digital-privacy-rethink-fines-enforceable-compliance-agreements-and-more].

We will continue to report on Bill S-4 and compliance strategies over the coming months.


reddit goes all-HTTPS—joining Wikipedia, Netflix and even the feds

If you were worried about spooks knowing that your favorite subreddit is /r/belize, fear not—reddit has finally joined the HTTPS party. Earlier this week, the site announced that starting June 29, it will refuse plaintext HTTP traffic.

Last September, reddit allowed HTTPS connections for users that turned the feature on or used something like HTTPS Everywhere.

reddit is merely the latest site in a long list of large outlets making the switch. For instance, Wikipedia announced it would be doing the same thing less than a week ago. In April 2015, Netflix announced it would make the switch for its video streams. And the White House Office of Management and Budget (OMB) did too after issuing the HTTPS-Only Standard directive, which requires all publicly accessible federal websites and Web services to use only HTTPS.

Read 1 remaining paragraphs | Comments

Are we nearly there yet?

If you kids ask that one more time…

Well, I think its only fair for us poor Data Protection kids in Europe to have been asking this on repeated occasions over the last three and a half years.  It’s certainly a frequent topic of conversation with clients and practitioners alike.  And the answer is?  Well, nearly…

It’s been a long road, but something of a milestone was reached on Monday as the Council of Ministers finally passed its own “general approach” on proposed changes to the Commission’s draft Data Protection Regulation.  That’s nearly three and a half years after the European Commission first published its draft of the Regulation in January 2012.

This “general approach” is effectively the Council’s starting position for negotiations with the other two European institutions (the Commission and the Parliament) to reach a final form of wording on the Regulation.  This “trilogue” stage is due to start on the 24th June.

So, where do we stand on timing?

You might think that means (to steal another travel analogy) full steam ahead towards a quick resolution.

Well, certainly the talk has now swung to focus on “when”, rather than “if” the Regulation will be passed.  And, officially, the stated aim is to reach a final agreement by the end of 2015.

However, this appears optimistic.  The length of time that the Council has taken to reach its agreed position is indicative of both the variety and strength of views on the key issues at stake with the reform of data protection across Europe.  This was evident in the fact that in the last draft of the Council’s text that was seen before the official announcement there remained over six hundred member state reservations – or areas where particular member states expressed a reservation with the approach being adopted.  Expect to see these as areas of stalled negotiations during trilogue.


Well, its unlikely to be all plain sailing from here and there may still be some bumps in the road.

On the face of it, the Council has certainly stuck closer than the European Parliament to the Commission proposal in key areas.  For example, on fines, the Council have agreed on the same limit as the Commission (a maximum of 2% of worldwide annual turnover).  The Council also has agreed that a single regulation should apply rather than another directive subject to local implementation (something that had been a real sticking point for some Member States).  It is also agreed with the application of the law to non-European entities and the “new” right to be forgotten.

These are important fundamental principles that need to be aligned.  So definitely some positive signs for reaching agreement.

However, there are still some that will require quite a bit of work.  In particular, what was apparent from the Council’s text is that many Articles provide for Member State carve outs.  With these Articles operating like a Directive, the idea of having a fully harmonised Regulation is certainly under threat and this will likely be an area discussed in length during negotiations.

So, the long winding road continues.  But, even once you allow for the two year transition period, we’re still likely to reach the go-live date for the new rules sometime in 2018.  Not much time to plan!