When a cloud privacy breach occurs in Canada, what happens? In
some cases, businesses are subject to mandatory breach notification
requirements. This means that a privacy breach - whether as a
result of a hacker, a lost USB or some other human error - must by
law be reported to the commissioner and to affected individuals.
Ontario has implemented mandatory breach notification under its
Personal Health Information Protection Act. In Alberta,
organizations subject to the Personal Information Protection
Act (PIPA) are required to report a breach to the commissioner
“without unreasonable delay” where a “reasonable
person would consider that there exists a real risk of significant
harm to an individual as a result of the loss or unauthorized
access or disclosure”.
The “real risk of significant harm” requires some
analysis in the event of a breach and the Alberta
commissioner’s Mandatory Breach Reporting
Tool (PDF) has been released recently,
to assist organizations determine if they are required to report a
breach under section 34.1 of PIPA. This area of law may be changing
further: a private members bill
was recently introduced in Parliament to implement mandatory data
breach reporting in the federal personal information protection
Here’s a recent case that illustrates the pitfalls of a
cloud privacy breach in Canada:
The Commissioner launched an exhaustive review of the privacy
aspects of the service after complaints regarding WhatsApp’s
information-handling procedures, including the collection of more
information than was necessary, the potential for privacy breach,
the lack of encryption.
While the story generated damaging headlines,
WhatsApp did work with the Commissioner to resolve many of the
This investigation also shows the extent to which international
privacy watchdogs will work together to launch an investigation
that concerns personal information that crosses international
The privacy lessons are clear: get advice on privacy
implications of the cloud-based service, and don’t
underestimate the importance of well-drafted privacy policies and
user terms. Cloud service providers should also take time to
understand the breach notification protocols that would apply in
the event of a privacy breach.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).