The new regime applies to organizations regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). It applies to organizations handling the personal information of most Canadians in the course of commercial activities. Alberta, British Columbia and Quebec have separate legislation. Mandatory breach notification has been in place in Alberta for years, and it is expected that British Colombia and Quebec will follow suit to ensure their privacy legislation remains ‘substantially similar’ to PIPEDA.
Under the new regime, organizations that suffers a breach of security safeguards that gives rise to a “real risk of significant harm” will be required to (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify affected individuals; and (iii) notify any other third party that is in a position to mitigate the risk of harm to affected individuals. These notifications must be made as soon as feasible after the organization determines that the breach has occurred.
The breach reporting requirements were included in the Digital Privacy Act that was passed in 2015. Almost three years later, sections 10, 11 and 14, and subsections 17(1) and (4), and sections 19 and 22 to 25 will come into effect and will amend the Personal Information Protection and Electronic Documents Act (PIPEDA). In September 2017, the federal government released the draft regulations and indicated that the proposed regulations would be delayed coming in to force after their publication to give organizations time to adjust their policies and procedures.
The government has tried to strike a balance so that consumers receive meaningful notification of breaches that rise to the level of a “real risk of significant harm”. If the right balance is struck, consumers will pay attention and take steps to protect themselves, and mitigate further harm. If the wrong balance is struck, there will be an influx of notices, and there is a real risk of notification fatigue.
- extreme tiredness after mental exertion resulting from attending to an influx of notifications
- a state of inurement or indifference brought about by excessive appeals to one’s attention by notifications
- a reduction in the efficiency of mental processing after being bombarded by notifications