Regulatory Roundup, Part 3: Proposed Canadian Breach Notice Requirements
The Canadian Parliament is again considering a requirement for organizations in Canada to notify individuals and the Office of the Privacy Commissioner of Canada in the event of a data breach. Under proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations would be required to notify the Commissioner when there is a “material breach.” The bill does not define this term, but states that relevant factors for consideration of whether a breach is material include:
- The sensitivity of the breached personal data;
- The number of individuals affected by the breach; and
- Whether the breach or pattern of breaches demonstrates a “systemic problem.”
Notice to individuals would be required if it is “reasonable” under the circumstances to “believe that the breach creates a real risk of significant harm to the individual.” Significant harm includes, but is not limited to, “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” When determining whether there is a real risk of significant harm, organizations are instructed to consider the sensitivity of the personal information involved and the “probability that the information has been, is being, or will be misused.”
The bill requires that the notice to individuals contain sufficient information for individuals to understand the importance of the breach and take steps to protect themselves. Additional content requirements are yet to be determined and may be imposed via regulations. Unlike U.S. breach notice laws, the bill does not mandate particular methods of notice. It simply requires that the notice be conspicuous and given directly to the individual if feasible to do so. The timeframe for notice is “as soon as feasible” after a breach is confirmed and it is determined that notice is required.
It’s uncertain at this point whether the bill will gain traction. The same legislation was introduced last year, but failed to make it past a second reading. We will watch to see if this is finally the year for breach notice in Canada.
By Francesca Wolf
Legal Counsel & Compliance Officer