On November 1, 2018, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended to include stringent, mandatory breach notification rules. These rules are similar to the European Union’s General Data Protection Regulation (GDPR), which took effect in May, 2018. Organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. The new PIPEDA regulations reinforce the image of Canada as an international leader in personal data protection during the global movement toward privacy protection.
The Canadian government released draft guidelines explaining that as of November 1, 2018, organizations subject to PIPEDA will be required to: 1) Report to the Office of the Privacy Commissioner of Canada (OPC) breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals; 2) notify affected individuals, “as soon as feasible” about those breaches; and 3) keep records of all breaches. These requirements will apply to every organization that collects, uses, or discloses personal information in the course of commercial activities in Canada. A breach that creates a risk of significant harm will need to reported even if it only affects one person. The guidelines help organizations in submitting a breach report to the OPC, ensuring proper records are kept, learning how to notify affected people, and in assessing real risk of significant harm.
PIPEDA defines a, “breach of security safeguards” simply as a data loss or unauthorized access or disclosure of personal information that creates significant harm. Moreover, “significant harm” is defined at a high level, and includes bodily injury, humiliation, damage to reputation or relationships, loss of employment, identity theft, negative effects on the credit report and damages to or loss of property. Failure to maintain records of breaches, report breaches to the Commissioner, and notify the affected user(s), can lead to penalties prescribed by PIPEDA of fines up to $100,000 per violation. Organizations should implement and test their notification procedures as soon as possible.