Innovation, Science and Economic Development Canada has recently published a consultation document intended to solicit stakeholder comments for consideration as it prepares draft regulations for data breach requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA). On June 18, 2015, the Digital Privacy Act amended Canada’s private sector privacy laws. While most of the amendments made by the Digital Privacy Act are currently in force, the amendments creating a mandatory data breach reporting regime will not come into force until regulations setting out prescribed requirements have been enacted. Following the consultation process, the government will publish draft and final regulations in the Canada Gazette.
Please note that privacy laws for the private sector are not harmonized across all Canadian jurisdictions. For example, Alberta currently has in force mandatory data breach reporting requirements for all private sector organizations. Accordingly, it is important to assess a private breach on a case by case basis.