June 18, 2015 marks another step forward for a country with already strong privacy laws, with the long-awaited passage of the Digital Privacy Act in Canada. The Digital Privacy Act amends Canada’s existing privacy framework, the Personal Information Protection and Electronic Documents Act(“PIPEDA”). The new law provides for mandatory breach notification and penalties for failure to notify, and revises certain provisions regarding consent.
The breach notification requirements and penalties will not become effective until regulations are issued. Once effective, PIPEDA will require notification when there is a “real risk of significant harm” to the individual. Although breach notification is a welcome change that promises to increase compliance with the existing framework, the Digital Privacy Act’s addition of exemptions from the existing consent requirements gives businesses some slack on the protection of information such as business contact information and personal information in the context of business transactions.
On a related note across the sea, a breach notification law was also passed recently in the Netherlands.