Posted: May 5, 2016
Written by: Andrew Buck
The PC Party of Manitoba recently announced its cabinet members. What does the election of a new government mean for privacy, in Manitoba?
The most interesting thing to watch will be the fate of The Personal Information Protection and Identity Theft Prevention Act (or PIPITPA, which really rolls off the tongue). PIPITPA is the comprehensive Manitoba private sector privacy law that was passed in the fall of 2013. Its passage was significant because, among other things, it was an opposition private member's bill. In fact, the PC Party had first introduced a form of the bill in 2004, and it took nine attempts before it was finally approved by the Legislature.
The catch was that PIPITPA would not come into force until it was proclaimed by government, which had little appetite to do so. The PC Party might be more willing to bring the law into force.
What can we expect, if that happens?
As a private member's bill, PIPITPA could not include provisions that would result in a financial obligation being placed on government. These obligations (such as an enforcement or complaint regime) must be added onto the law. In addition, PIPITPA is based on Alberta's private sector privacy legislation. Recall that the Supreme Court of Canada declared portions of the law unconstitutional, in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers. So, some minor clean-up work may be required, to ensure PIPITPA passes constitutional muster.
When and if PIPITPA comes into force (with the amendments described above), it would likely be deemed "substantially similar" to the Personal Information Protection and Electronic Documents Act (or PIPEDA, the federal private sector privacy legislation). Thereafter, businesses in Manitoba would need to comply with PIPITPA, rather than PIPEDA.
Finally, mandatory privacy breach notification appears to be coming to Manitoba, one way or another. The federal government has issued a consultation paper, for regulations to PIPEDA which will define the contours of PIPEDA's pending breach notification requirements. PIPITPA also contains a mandatory breach reporting regime. Either way, then, privacy breach reporting is on its way.
For business owners, the impact of these changes could include new obligations and penalties, for non-compliance with your privacy obligations. Consider updating your privacy breach notification and recordkeeping strategy (or creating one, if you haven't yet done so).