On June 18, 2015, the Canadian Minister of Industry announced that the Digital Privacy Act, which amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), has received royal assent and is now law. Although the Act contains a number of provisions that are likely to impact organizations doing business in Canada, certain key features—notably, the security breach notification requirements—will not come into effect until regulations are issued by the Canadian government.
Pursuant to amendments contained in the Digital Privacy Act, organizations will be required to notify the Privacy Commissioner and affected individuals of “any breach of security safeguards involving personal information under [the organization’s] control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
- The Act’s definition of “significant harm” is broad and includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
- Factors to be considered when assessing the risk of “significant harm” to an individual include the sensitivity of the personal information at issue and the probability of that information being misused.
Details concerning the form, manner, and content of the required notifications, as well as additional factors relevant to the risk assessment, are to be spelled out in the forthcoming regulations.
The Digital Privacy Act provides for fines of up to CA$100,000 for knowing violations of the breach notification requirements, or the requirement that organizations “keep and maintain a record of every breach of security safeguards involving personal information under [the organization’s] control.” Upon request, an organization will be obliged to produce this breach record to the Privacy Commissioner.
It is unclear when regulations will be promulgated for purposes of implementing the federal breach notification requirements in the Digital Privacy Act. Currently, Alberta is the only Canadian province with a mandatory breach notification requirement in effect.