In Canada, the protection of personal information in the private sector is either governed by the general federal act, known as PIPEDA,1 or one of the specific provincial privacy statutes. PIPEDA applies to organizations' commercial activities in all provinces, except for those provinces that have their own privacy laws which are substantially similar to PIPEDA (Québec, British Columbia, Alberta), subject to certain exceptions. With the exception of specific sectors, such as health information,2 only one of the relevant Canadian statutes relating to the protection of personal information currently provides for mandatory breach notification, but this is all about to change. We offer below a brief summary of the provisions requiring, or about to require, mandatory data breach protection in Canada.
Alberta's Personal Information Protection Act,3 in force as of May 1, 2010, is the only statute in Canada to impose mandatory notification to the Privacy Commissioner in case of a data breach, with the objective of "strengthen[ing] the obligations of organizations in this regard, and therefore improv[ing] security with respect to personal information."4 The Privacy Commissioner may require that the organization notify affected individuals. The Act states the following:
Notification of loss or unauthorized access or
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
Power to require notification
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
When a breach occurs, Alberta's private sector organizations, businesses and, in some instances, non-profit organizations are required to notify the Privacy Commissioner within a reasonable delay in a case where "a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure". In the words of the Privacy Commissioner, the Act:
[...] requires an organization to provide notice to the Commissioner of any incident involving the disclosure of personal information where a reasonable person would consider that there exists "a real risk of significant harm" to an individual as a result of the disclosure. In turn, section 37.1(1) authorizes the Commissioner to require the organization to notify the individual. Under section 19.1(1) of the Personal Information Protection Act Regulation, [...] the notification must be given directly to the individual, and it must include a description of the circumstances of the disclosure, the date on which the disclosure occurred, a description of the personal information involved in the disclosure, a description of any steps the organization has taken to reduce the risk of harm, and contact information for a person who can answer, on behalf of the organization, questions about the disclosure.5.
For a notification to be required, the serious risk of harm to the individual concerned by the lost data has to be significant and must "be important, meaningful, and with non-trivial consequences or effects."6 The standard to meet is not one of certainty but the risk must be more than speculative or conjectural.
PIPEDA applies to organizations' commercial activities in all provinces, except within provinces that have their own privacy laws, which are substantially similar to PIPEDA (as mentioned, this is the case for Québec, British Columbia and Alberta), and subject to certain exceptions (for specific sectors such as health information).
The previous version of PIPEDA contained no obligation to give notification of data breaches. In June 2015, the Digital Privacy Act7 was adopted which modified PIPEDA, including amendements providing mandatory breach notification requirements. These provisions will be brought into force once the corresponding regulations are finalized. However, the federal government has yet to release regulations addressing data breach notification, almost two years after their adoption.
Still, given the growing number of well-publicized data breaches, it's critical for organizations to understand that their privacy policies and security safeguards are coming under greater scrutiny on all fronts. Once in force, the new PIPEDA provisions will require organizations to keep a record of every breach of security safeguards involving personal information under its control. The amendments also require organizations to notify both affected individuals and the Privacy Commissioner of Canada if it is reasonable to believe that the breach risks significant harm to an individual. Under PIPEDA, "significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Relevant factors in determining such a risk include the sensitivity of the personal information involved in the breach and the probability that it may be misused. Notification must be given "as soon as feasible" after the organization determines that the breach happened. The new provisions also give enhanced powers to the Privacy Commissioner of Canada. Failing to meet reporting requirement can carry a fine up to $100,000.
Although the new federal breach requirements are not yet in force, companies facing a breach in Canada must be aware that they ought to consult legal counsel to advise them on the best notification and reporting practices. In truth, larger organizations in Canada have been doing this for some time.
Sections framing this new regime are largely based on Alberta's legislation. It does, however, make it mandatory to notify the individuals, as soon as possible, whereas Alberta left it to the Commissioner to decide, on a case by case basis, if such notification was necessary.
PIPEDA provides the following:
Report to Commissioner
10.1 (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
(2) The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.
(3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual's personal information under the organization's control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
(4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.
(5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.
Time to give
(6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.
(7) For the purpose of this section, "significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Real risk of significant harm
(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:
a) the sensitivity of the personal information involved in the breach;
b) the probability that the personal information has been, is being or will be misused; and
c) any other prescribed factor.
10.2 (1) An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.
Time to give
(2) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.
Disclosure of personal
(3) In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if (a) the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and (b) the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.
(4) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).
10.3 (1) An organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control.
When the regulations effecting these changes are adopted, the new PIPEDA provisions will impose on an obligation to notify Canada's Privacy Commissioner as well as the affected individuals for each data breach. It will impose larger and stricter obligations than any other Canadian privacy protection legislation to date.
While it is not exactly clear why the new regime is not yet in force, the likely cause appears to be the lack of consensus among stakeholders in Canada as to the extent of such notification obligations.8.
Quebec, Alberta and British Columbia each have their own privacy protection legislation which are substantially similar to PIPEDA. Ontario,9 Newfoundland and Labrador10 and New Brunswick11 are partially exempted from the application of the federal law given that they have privacy protection legislation regarding the health sector. Those three particular regimes employ mandatory data breach notification provisions for medical information that apply in a very specific set of circumstances.12/p>
Neither the privacy protection legislation of British Columbia13 nor Quebec14 impose mandatory data breach notification. However, if these two provinces are exempted from the application of PIPEDA, as it stands right now, because their provincial legislation is substantially similar to PIPEDA, one may wonder whether such legislation will still be considered substantially similar when PIPEDA's mandatory breach notification provisions come into force.
Conclusion – A Global Task
Even if Alberta has been imposing it for 7 years, mandatory data breach notification regimes are still at a nascent stage in Canada. However, when the relevant provisions of PIPEDA come into force, there will be mandatory data breach notification requirements across nearly the entirety of both Canada and the United States. The two countries could become fertile ground for transnational class action lawsuits in this respect. Faced with this new legal environment, organizations need to be proactive. Privacy laws will vary from one jurisdiction to another and global organizations have no choice but to comply with all privacy standards wherever they do business. Unfortunately, there is no global standard that can be easily met and organizations will need to comply with a patchwork of notification requirements.
1 Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (hereafter PIPEDA).
2 In Canada, medical information is protected by a different set of legislation.
3 SA 2003, c P-6.5. The form of the notifications is provided for in the Personal Information Protection Act Regulation, Alta Reg 366/2003.
4 Id., para 94.
5 Order P2012-02, 2012 (AB OIPC), para 93.
6 Order P2010-ND-001, 2010 (AB OIPC), para 17.
7 SC 2015, c 32.
8 A Summary of Consultation Responses, Data Breach Notification and Reporting Regulations,https://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf11212.html.
9 Health Information Custodians in the Province of Ontario Exemption Order, SOR/2005-399.
10 Personal Health Information Custodians in Newfoundland and Labrador Exemption Order, SI/2012-72.
11 Personal Health Information Custodians in New Brunswick Exemption Order, SOR/2011-265.
12 Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A; Personal Health Information Act, SNL 2008, c P-7.01; Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05.
13 Personal Information Protection Act, SBC 2003, c 63.
14 An Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.