Private sector organizations governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA") have seven months to prepare for the coming into force of the legislative amendments that enact mandatory data breach reporting and notification. This article explains the coming into force of the breach reporting provisions within PIPEDA, as well as the timing for the release of final Regulations.
The long-awaited breach reporting and notification rules will require organizations that experience a data breach to report the incident to the Office of the Privacy Commissioner of Canada (the Commissioner) and to notify affected individuals. Reporting and notification will be required in all circumstances where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual". Under the Act, "significant harm" is defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Mandatory data breach reporting and notification at the federal level was introduced with amendments to PIPEDA enacted by the Digital Privacy Act (Bill S-4). Bill S-4 came into force on June 18, 2015, but the date on which the new data breach provisions would come into effect remained unknown until the recently proclaimed Order In Council, dated March 26, 2018 (Order In Council 2018-0369). The Order In Council states that the provisions of the Digital Privacy Act relating to data breaches (sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of PIPEDA ) will come into force on November 1, 2018.
Draft Regulations were published in the Canada Gazette on September 2, 2017 and were subject to a period of public comment. Another March 26, 2018 Order In Council (Order In Council 2018-0368) states that the final text of the Regulations will not be published until April 18, 2018. The Draft Regulations had indicated that the coming into force date would be the same day as the day on which section 10 of the Digital Privacy Act comes into force if the regulations are registered prior to that date; accordingly, we anticipate that the final Regulations also will come into force on November 1, 2018. The content of the draft Regulations (potentially subject to revision) was described in our earlier article, No Escaping Notification: Government Releases Proposed Regulations for Federal Date Breach Reporting & Notification.
The data breach provisions enacted by the Digital Privacy Act are set out in PIPEDA. The draft Regulations are available here. We will be following up with a more detailed analysis of the Regulations once their final text is published on April 18th.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.