We’ve blogged previously about the patchwork of state data privacy laws, and the challenges it poses for multinational businesses. Now, U.S. companies need to beware of our neighbor to the north as well: Canada has enacted a new breach notification regulation that may have implications well beyond its geographical borders.
The new Breach of Security Safeguards Regulations to the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on November 1, 2018 and requires organizations to report a data breach—even if only one person is affected—if it creates a “real risk of significant harm.”
The Regulatory Impact Analysis Statement accompanying the new regulation explains that it is intended to bring Canada’s privacy laws closer in line with the European Union’s General Data Protection Regulation or GDPR, which has been in effect for almost 150 days.
But the new law raises a far more difficult question for international organizations; that is, just how far beyond Canada’s borders does the new law reach?
In short, U.S.-based and multi-national organizations that deal with the personal data of Canadians should carefully assess if they are subject to Canadian data privacy laws. If a data breach potentially affects the personal data of Canadians, companies should consider whether a notification under the Canadian Breach of Security Safeguards Regulation is required.
Such notices are generally required to be sent to the Privacy Commissioner of Canada and affected individuals, at minimum. The Canadian law does not set a specific time frame to report a breach.
Similar to the GDPR regime, the cost of noncompliance with the Canadian law is steep. If a business knowingly withholds information about a breach or fails to keep the required records, fines can reach C$100,000 per day.
Interestingly, the Canadian legislature recognized the problem created by patchwork regulation within its own borders, and exempted organizations and activities that take place wholly within the Canadian provinces of Quebec, British Columbia and Alberta, which all have laws that were deemed similar to PIPEDA. But there is no such carve-out for companies that are already regulated by a U.S. privacy law, such as California’s new Consumer Privacy Act of 2018, which we have discussed in earlier blog posts.