The breach notification obligations for Canadian organizations will change significantly in 2018: (i) the European Union's General Data Protection Regulation (GDPR) came into force on May 25, 2018; while (ii) new reporting obligations under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force on November 1, 2018. To assist Canadian organizations with their potential compliance efforts with respect to same, the following is intended to provide a non-exhaustive, high-level comparison between: (i) the GDPR; (ii) PIPEDA; together with (iii) the Personal Information Protection Act of Alberta (PIPA). While there are important nuances to each of these regulatory frameworks, they broadly draw on fair information practices that result in substantial commonality among them. In fact, a number of elements in Canadian private sector privacy law, especially in the PIPA, have anticipated some provisions in the GDPR.
This article focuses on breach notification requirements. For a more general comparison of these enactments, please see our companion piece here.
GDPR |
PIPEDA |
PIPA |
|
What event triggers the obligation? | Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that has been transmitted, stored, or otherwise processed is subject to the breach reporting rules. | A breach of security safeguards involving personal information is subject to the breach reporting rules. | Any incident involving the loss of or unauthorized access to or disclosure of personal information is subject to the breach reporting rules. |
Is there a threshold standard when reporting is mandatory? | Notification must be given unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. | An organization must report any breach of security safeguards involving personal information if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. | Notification of a breach must be given where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss, or unauthorized access or disclosure. |
Does the law define factors that influence the risk or harm? | No. | Definition: "significant harm includes bodily harm,
humiliation, damage to reputation or relationships, loss of
employment, business or professional opportunities, financial loss,
identity theft, negative effects on the credit record and damage to
or loss of property." Factors indicating a real risk of significant harm are the sensitivity of the personal information involved in the breach; and the probability that personal information has been, is being or will be misused. |
No. |
Does the law define how quickly one must report? | The processor shall notify the controller without undue delay
after becoming aware of a personal data breach.
The controller shall, within 72 hours of becoming aware of a breach, notify the supervisory authority. Where notification is not made within 72 hours, reasons must be given for the delay. When it would cause undue delay to provide the required information at the same time, the information may be provided in phases. |
The notification must be given as soon as feasible after the organization determines that the breach has occurred. | Notification must be given without unreasonable delay. |
Reporting to the commissioner? | Controllers must notify the supervisory authority of the given EU member state. | Yes, to the federal Privacy Commissioner (in this column, the "Commissioner"). | Yes, to the provincial Information and Privacy Commissioner (in this column, the "Commissioner"). |
Does the law prescribe what must be reported to the commissioner? |
The notice must contain:
|
The notice must contain:
|
The notice must contain:
|
What sanction arises if one fails to report to the commissioner? | The supervisory authority of the given EU state may issue orders, warnings, or reprimands (including administrative fines) against a controller or processor. | It is an offence to fail to provide notice to the Commissioner,
and may result in a fine of up to $100,000 for an
organization. The Court may order the organization to: correct its practices; and publish a notice of any action taken to correct its practices. |
It is an offence to fail to provide notice to the Commissioner, and may result in a fine of up to $100,000 for an organization. |
Reporting to the individual? | When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. | An organization shall notify an individual of any breach of security safeguards involving the individual's personal information under the organization's control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. | The Privacy Commissioner may require the organization to notify individuals' of the loss of their personal data. |
Does the law address reporting to others? | No. | An organization that notifies an individual of a breach of security safeguards shall notify any other organization, including government institutions, of the breach if the notifying organization believes that the other organization concerned may be able to reduce the risk of harm. | No. |
Does the law prescribe what must be reported to the individual? | The notice must include:
|
The notice must include:
|
The notice must include:
|
Does the law permit indirect notification of individuals? | Yes, provided that notifying the individual or individuals would involve "disproportionate effort." |
Yes, provided that:
|
Notification may be given to an individual indirectly if the Commissioner so allows. |
What sanction arises if one fails to report to the individual? |
The data subject has the right to:
|
The Court may order the organization to:
|
The Commissioner may make any order it considers
appropriate. The Court may order the organization to pay damages to the complainant for loss or injury. |
Does the law mandate record keeping requirements? | The controller shall document any personal data breaches, including facts relating to the breach, its effects, and the remedial action taken. This documentation will allow the supervisory authority to verify compliance with the GDPR. |
|
PIPA does not impose any specific requirements to keep records related to breaches. |
Does the law contemplate exemptions to the notification responsibilities? |
Notice to the individual is not required in any of the following circumstances:
|
The organization is not required to notify the individual of a breach if doing so is prohibited by law. The organization is not required to notify the Commissioner or the individual if it is not reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. |
The organization is not required to give notice to the
Commissioner if there is no real risk of significant harm to an
individual as a result of the loss or unauthorized access or
disclosure of personal information. The organization is not required to give notice to the individual unless so ordered by the Commissioner. |
Bibliography
General Data Protection Regulation, EU Reg 2016/679: http://data.europa.eu/eli/reg/2016/679/oj
Personal Information Protection Act Regulation, Alta Reg 366/2003: http://canlii.ca/t/83gh
Personal Information Protection Act, SA 2003, c P-6.5: http://canlii.ca/t/81qp
Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA] (in force): http://canlii.ca/t/7vwj
PIPEDA (pending amendments): http://laws.justice.gc.ca/eng/acts/P-8.6/nifnev.html
PIPEDA (pending regulations): http://laws.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.