Naïm Alexandre Antaki
Partner
Co-leader of the Canadian Artificial Intelligence Group | Leader of the Corporate Commercial Department - Montréal
Article
On September 1, 2017, Innovation, Science and Economic Development Canada (formerly Industry Canada) released the proposed text for Regulations to govern mandatory breach reporting and notification under Canada's federal privacy legislation, PIPEDA. The proposed text is accompanied by a detailed Regulatory Impact Analysis Statement (RIAS), and indicates that publication of the text initiates a 30 day comment period.
Mandatory data breach reporting and notification at the federal level was introduced with amendments to the federal private sector privacy law (PIPEDA) enacted by the Digital Privacy Act (Bill S-4). Bill S-4 came into force on June 18, 2015, but the new breach reporting and notification provisions will not come into effect until regulations are passed to govern the new requirements.
Under PIPEDA's mandatory reporting and notification regime, organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada (the Commissioner) and notify affected individuals. Notification is required in all circumstances where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual", which is defined to include humiliation, damage to reputation or relationships, and identity theft.
PIPEDA indicates that the notice must be given in the "prescribed format", which is now outlined within the proposed Regulations. The proposed Regulations do not impose any surprising or unexpected requirements regarding the form of notification. The Regulations anticipate that the report to the Commissioner and notification to affected individual will contain:
For the notification to individuals, the organization must provide a toll-free number or email address for the affected individual to obtain further information, and must provide information about the organization's internal complaint process and the affected individual's right to file a complaint with the Commissioner.
For the report to the Commissioner, the organization must provide an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm, a description of the steps that the organization has taken or intends to take to notify each affected individual, and the name and contact information of a person at the organization who can respond to questions about the breach.
The proposed Regulations also prescribe the manner of notifying individuals, which is to be given directly to the individual unless an exception applies that would allow for indirect notification. The Regulations indicate that direct notification can only be provided by email "if the affected individual has consented to receiving information from the organization in that manner". The Regulations do not define the form of "consent" that is required for the sending of such emails and whether consent may be "implied" or whether organizations will need "explicit" or express consent. Direct notification may also be given by letter, telephone or in person.
Indirect notification is to be given if any of the following circumstances exist: the giving of direct notification would cause further harm to the affected individual; or the cost of giving of direct notification is prohibitive for the organization; or the organization does not have contact information for the affected individual or the information that it has is out of date. Where indirect notification is used, it must be given either by a conspicuous message, posted on the organization's website for at least 90 days or by means of an advertisement that is likely to reach the affected individuals.
While the PIPEDA breach reporting and notification requirements are similar to the regime that exists in Alberta and relatively unsurprising in terms of their requirements, Bill S-4 also introduced a "data breach record-keeping" requirement that is unique within Canada. The provision requires organizations to keep and maintain a record of every breach of safeguards involving personal information under their control (whether or not notifiable) and to provide the Commissioner with such records on request.
This record keeping obligation is of significant concern to large organizations who are subject to frequent security intrusions and would not keep any record of these incidents in the normal course. The RIAS indicates that the proposed Regulations "confirm the scope and retention period for data breach record-keeping". However, the proposed Regulations provide only that records of breaches of security safeguards must be kept for 24 months and must contain any information pertaining to the breach that enables the Commissioner to verify compliance with breach reporting and notification obligations.
Organizations that detect and deter hundreds or possibly thousands of security incidents annually will experience obvious difficulties in complying with the record keeping requirements, and can be expected to provide significant feedback and comment on this aspect of the proposed Regulation during the Gazette comment period.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.