When the Personal Information Protection and Electronic Documents Act (PIPEDA) was amended by the Digital Privacy Act in 2015 to bring the legislation into the “digital age“, the amendments included a provision that introduced privacy breach reporting and record keeping requirements. The coming into force of these provisions was delayed to permit the development of regulations that would set out the details of organizations’ obligations. In September 2017, draft regulations were published, which set out various requirements such as the form, content, manner, and timing of the mandatory breach reporting and record keeping obligations.

Through order in council the federal government has now fixed the date for the coming into force of the mandatory breach reporting and record keeping provisions as November 1, 2018. The draft regulations may be implemented at the same time, but allow for a lag period between the publication of the final regulations and their coming into force.

Some Western Canadian jurisdictions already have breach notification requirements, including British Columbia, Alberta, and Saskatchewan (as of January 1, 2018).

The order in council also fixes the date for the coming into force of enforcement provisions, which permit the Privacy Commissioner of Canada to enter into compliance agreements with organizations.