In July 2015, the Government of Canada amended the Personal Information Protection and Electronic Documents Act to require companies to disclose data breaches to the Privacy Commissioner of Canada and to affected individuals. The amendments would require companies to disclose breaches “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
Almost 2 ½ years after the statutory amendments were enacted, the requirement to disclose is still not in force because the Government is still debating the regulations aimed at implementing the changes.
In the meantime, massive data breaches involving companies like Equifax and Uber, as mentioned in Bloomberg News, have occurred. In Equifax’s case, it waited several months before revealing breaches, and according to the Globe and Mail, failed to disclose “how many Canadians were affected even as it provided specifics about the number of Americans and Brits who were impacted.” Canada’s Privacy Commissioner was not even notified of the breach by Equifax – it learned through media reports. With respect to Uber, the Globe and Mail wrote that it concealed a massive breach involving 57 million persons for over 1 year and refused to respond to requests about how many Canadians were affected.
It is high time for Canada to bring into force the law and to take aggressive steps to enforce it, because the current experience shows that voluntary reporting is a failure that puts Canadians at risk.