As Alberta Inches Closer To The Federal Model For Breach Reporting, Will Québec Follow?

On April 1, 2024, the Alberta Office of the Information Privacy Commissioner ("AB OIPC") announced significant changes to privacy breach reporting procedures in Alberta by publishing updated guidance for organisations to consider when reporting a breach to the AB OIPC.

Background

Alberta's Personal Information Protection Act ("PIPA")¹ was Canada's first private sector privacy law requiring organizations to report certain privacy breaches to a privacy commissioner and to notify affected individuals in certain circumstances. The Alberta regime was enacted in 2010.²

In the past, the AB OIPC has published breach notification decisions ("BND") on its website.³ These decisions would include details from the organization's report to the AB OIPC, and a summary of the decision from the AB OIPC about whether the breach created a "real risk of significant harm" (or "RROSH") to individuals.

Since the inception of the regime, the AB OIPC published BNDs only in cases where it concluded that a RROSH existed, which in turn would require the AB OIPC to order organizations to notify individuals. However, given the widespread practice of reporting to commissioners and notifying individuals simultaneously, where the AB OIPC determined the organization had already notified individuals in accordance with PIPA⁴ at the time of report to the AB OIPC, the AB OIPC frequently held that organizations were not required to notify them again.⁵

Summary of Changes in Alberta

In a marked departure from 14 years of established practice, on April 1, 2024, the AB OIPC announced that it will, until further notice, cease its practice of publishing BNDs.⁶ Organizations which report breaches to the AB OIPC and have already notified affected individuals in accordance with PIPA⁷ will receive a private closing letter and a BND will not be published.⁸ BNDs published in the past will remain available for searching and review on the AB OIPC website.

The AB OIPC stated that it will be prioritizing its resources to focus on breaches where organizations have failed to report the breach to the AB OIPC or to notify affected individuals.⁹ The AB OIPC will put in place an expedited process to review breach reports in certain situations, including: (i) where individuals have not been notified, (ii) where the AB OIPC considers that a report to the AB OIPC was not made in accordance with section 34.1 of PIPA, or (iii) where the AB OIPC learns about a breach through the media or an individual complainant.

The AB OIPC suggests that it will increase its reliance on its breach PIPA Privacy Breach Notification Form ("Form")¹⁰ to ensure reports and notices meet the legal requirements.¹¹ For example, the AB OIPC warns that if a report does not contain the information required by PIPA¹² or if the organization does not indicate in its notice that there exists RROSH in a manner that the AB OIPC deems sufficiently detailed,¹³ the organization is not considered to have reported the breach to the AB OIPC under section 34.1 of PIPA.

The AB OIPC goes on to provide a number of additional documents that serve to highlight the changes and reaffirm the AB OIPC's expectations for breach reporting,¹⁴ which expand on some of the 2018 guidance it had provided.¹⁵ For example, the additional materials clarify the AB OIPC's view about the circumstances in which personal information was "collected in Alberta"¹⁶ or what it means to be in "control" versus being in "custody" of personal information.¹⁷

Finally, the AB OIPC explicitly states that its preference is to have organizations submit the completed Form by email to its new email address for breach reports: breachnotice@oipc.ab.ca.¹⁸

Will Québec Follow Alberta?

The Québec Commission d'accès à l'information ("CAI") approach now stands in contrast with its Canadian counterparts.¹⁹ Since the enactment of mandatory breach reporting and notification obligations in Québec in September 2022,²⁰ the CAI did not publish breach decisions but, pursuant to access to information law, was prepared to disclose to journalists the names of organizations which had submitted breach reports to the CAI.²¹ In April 2023, the CAI decided to no longer make such disclosures in response to such access to information requests.²² However, shortly thereafter, the CAI decided to publish on its website each quarter the names of all organizations that submitted breach reports to the CAI.²³

This practice of systematically publishing the names of organizations that submit breach reports to a regulator may create a disincentive for organizations to report breaches. In fact, the volume of reports submitted to the CAI experienced a drop since it was revealed that the CAI was complying with journalist's requests for information about breach reports, and the trend has continued since the CAI's decision to publicize the names of organizations that report breaches.²⁴

Many organizations would undoubtedly consider that the CAI should follow Alberta's lead, in order to ensure that breach reporting in Québec continues as appropriate, without the disincentive to report that is caused by the CAI's current approach of publishing the names of organizations that report breaches to it.

Key Takeaways for Organizations

• Shift to confidentiality: Alberta's new breach reporting process ensures greater confidentiality and may reduce reputational risks for compliant organizations.
• Focus on compliance gaps: the AB OIPC will intensify its focus on breaches that are either unreported or have not been adequately disclosed to affected individuals. Non-compliance creates a greater risk of regulatory scrutiny and potential investigations and expedited enforcement actions.
• Clarity heightens expectations: breach reports and notifications should always be carefully drafted to align with PIPA requirements. When making decisions regarding reporting and notification, organizations should also be mindful of the AB OIPC's expectations and interpretation of PIPA as reflected in the updated guidance.

Footnotes

1. SA 2003, c P-6.5, https://canlii.ca/t/5619m.

2. Id., s. 34.1 and 37.1.

3. Office of the Information Privacy Commissioner of Alberta, Breach Notification Decisions, available here: https://oipc.ab.ca/decisions/breach-notification-decisions/.

4. Supra, note 1, s. 37.1(7), which provides that, despite the AB OIPC's power to order notification, "Nothing in this section is to be construed so as to restrict an organization's ability to notify individuals on its own initiative of the loss of or unauthorized access to or disclosure of personal information."

5. Office of the Information and Privacy Commissioner of Alberta, PIPA Breach Report 2022, July 2022, p. 2, "There were 419 NO RROSH decisions issued between 2010‑2011 and 2020‑2021, representing 22% of all decisions. There were 200 findings of No Jurisdiction, representing 10% of all decisions.", with these two figures decreasing significantly over time, see at p. 13-14 for trends over time, available here: https://oipc.ab.ca/wp-content/uploads/2022/07/PIPA-Breach-Report-2022.pdf.

6. Office of the Information and Privacy Commissioner of Alberta, PIPA Privacy Breach Process, April 1, 2024, p. 8, available here: https://oipc.ab.ca/wp-content/uploads/2024/04/PIPA-Privacy-Breach-Process-April-2024.pdf.

7. Personal Information Protection Act Regulation, Alta Reg 366/2003, s. 19.1.

8. Supra, note 7, p. 5, available here: https://oipc.ab.ca/wp-content/uploads/2024/04/PIPA-Privacy-Breach-Process-April-2024.pdf.

9. Id., p. 4.

10. Available here for download: https://oipc.ab.ca/wp-content/uploads/2024/04/Privacy-Breach-Notification-Form-under-PIPA-April-2024.docx.

11. Supra, note 8, s. 19.

12. Supra, note 7, p. 6, which addresses situations where organizations choose to provide "Informal, Voluntary, or Courtesy Letters". Sometimes organizations will send to the Commissioner an informal or "courtesy" letter about a privacy breach, or inform the AB OIPC about an incident where, in the organization's view, a reasonable person would not consider a real risk of significant harm exists. If these informal letters do not contain the information required by section 19 of the PIPA Regulation, or if the organization does not indicate there exists real risk of significant harm, the organization is not considered to have notified the AB OIPC under section 34.1.

13. Simply describing the risk of harm as being "low", "medium" or "high" does not meet the requirement for an assessment of the risk of harm, which is a required element of reporting under the regulations. Organizations should seek to detail the specific harms they believe individuals are exposed to when reporting to the AB OIPC.

14. Office of the Information and Privacy Commissioner of Alberta, Guidance for Notifying the Commissioner about a Privacy Breach under PIPA, April 1, 2024, available here: https://oipc.ab.ca/wp-content/uploads/2024/04/Guidance-for-Notifying-the-OIPC-about-a-Privacy-Breach-Under-PIPA-April-2024.pdf.

15. Office of the Information and Privacy Commissioner of Alberta, Reporting a Breach to the Commissioner, August 2018, https://oipc.ab.ca/wp-content/uploads/2022/02/Breach-Reporting-2018.pdf.

16. Supra, note 17, p. 6, which goes on to provide four examples: (i) An individual residing in Alberta submits a job application electronically to an organization in Ontario. The personal information is transmitted over the internet and stored on a server hosted in Ontario. The personal information was "collected in Alberta" because the individual was in Alberta at the time it was collected by the organization. (ii) An individual residing in the United States submits a job application electronically to an organization operating in Alberta. The personal information is transmitted over the internet and stored on a server hosted in British Columbia. The personal information was "collected in Alberta" because the organization operates in Alberta. (iii) An individual residing in Alberta drives to the United States. The individual checks into a hotel in Arizona, no pre- booking was done in advance. The personal information was not "collected in Alberta" because the information was collected in-person at the hotel, outside of Alberta. (iv) An individual visits the United States to shop at an outlet shopping centre. A store the individual made a purchase from, in the United States, was subject to a cyberattack, resulting in the unauthorized access to that individual's personal information. The personal information was not "collected in Alberta" because the information was collected in-person at the store, outside of Alberta.

17. Id., p. 2. This is helpful and reinforces similar guidance from the federal commissioner that is available here: https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/, see "Who is responsible for reporting the breach?".

18. Please note that the previous email address (breachreport@oipc.ab.ca) has been disabled, but the change should not impact notices already sent before April 1, 2024.

19. PIPEDA provides for the confidentiality of breach reports to the federal commissioner, see s. 20(1.1). In addition, the federal Access to Information Act ("ATIA") was amended in 2018 to create a statutory exemption from the disclosure of any data breach of security safeguards report in response to access to information requests under the ATIA. However, the commissioner may share such information under limited circumstances for reasons related to national security or public interest, or use the information in the context of an investigation into the breach.

20. Supra, note 7, ss. 3.5 and following.

21. LaPresse, Une trentaine d'entreprises ont déclaré des fuites en deux mois, December 8, 2022, available only in French here: https://www.lapresse.ca/affaires/2022-12-08/protection-des-renseignements-personnels/une-trentaine-d-entreprises-ont-declare-des-fuites-en-deux-mois.php.

22. LaPresse, Des fuites de données qui resteront secrètes, April 28, 2023, available only in French here: https://www.lapresse.ca/affaires/2023-04-28/commission-d-acces-a-l-information/des-fuites-de-donnees-qui-resteront-secretes.php.

23. LaPresse, Plus de données sur les fuites de données, June 2, 2023, available only in French here: https://www.lapresse.ca/actualites/2023-06-02/commission-d-acces-a-l-information/plus-de-donnees-sur-les-fuites-de-donnees.php.

24. From October 2022 to March 2023, there was an average of 32.5 reports per month. For the following 6 months, i.e. April 2023 to September 2023, this number dropped to 15.8 reports per month. While there could be other factors explaining this drop in numbers, they seem to coincide with the CAI's systematic publication of decisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.