On June 18, 2015, the Canadian Parliament passed into law the Digital Privacy Act, or Senate Bill S-4, amending Canada's federal data protection statute, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to organizations engaged in business practices in Canada.9 Certain features of the new law were in effect immediately following the bill's passage, except for provisions related to a mandatory data breach notification requirement, which will not come into effect until the Canadian government issues further regulations. An expected date for issuance of regulations related to the mandatory breach notification requirement has not yet been announced.

The new law’s mandatory data breach notification provisions require organizations that are subject to PIPEDA to provide notification of a breach “as soon as feasible” to the Office of the Privacy Commissioner of Canada and potentially impacted individuals, and “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” The law provides a definition of “significant harm,” which includes, but is not limited to, bodily harm, reputational damage, humiliation, financial loss, and identity theft. Additionally, the law requires each organization subject to PIPEDA to maintain a record of all security breaches involving personal information. The law imposes fines up to C$100,000 for any organization that knowingly violates these requirements.

The new law contains provisions that amend consent requirements under PIPEDA, including enactment of a graduated consent standard where consent is necessary if personal information is being used, collected, disclosed, accessed, or transferred. Among the exemptions to the new consent requirements are a business transactions exemption where organizations may, in certain, cases use, collect, access, or disclose personal information for business transaction purposes (e.g., merger or acquisition), as well as certain circumstances where personal information is required for an investigation in connection with a breach of law, fraud, or a contract.