On April 18, 2018, the final regulations relating to the mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) were published. These regulations, which include fines of up to CAD$100,000 for non-compliance, will come into force on November 1, 2018.
Until now, and with the exception of the province of Alberta, data breach reporting under PIPEDA has been voluntary for private sector organizations across Canada. PIPEDA is Canada’s federal data protection law, which applies to all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation (all provinces except Alberta, British Columbia, and Quebec), that collect, use, or disclose personal information in the course of their commercial activities. PIPEDA also applies to federal works, undertakings and businesses (i.e., airlines, banks, interprovincial railways/trucking, and broadcasting, including the employees of those organizations), and to all personal information that flows across provincial or national borders in the course of commercial transactions.
However, the recent amendments to PIPEDA and its regulations will mean that private sector organizations (except those in the provinces of British Columbia and Quebec) will soon face mandatory breach reporting and record-keeping requirements, which will require organizations to revise internal privacy policies and procedures to ensure compliance with these significant legislative changes.
The introduction of mandatory privacy breach notification, reporting, and record-keeping under PIPEDA will require organizations to review, revise, and implement new privacy policies and procedures prior to November 2018 to ensure compliance with the final Regulations. To better understand the legal threshold for breach notification and reporting in Canada, and to ensure compliance with PIPEDA, organizations should contact their Ally Law privacy and cybersecurity lawyer.