On June 18, 2015, the Digital Privacy Act (Bill S-4) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to incorporate mandatory data breach reporting requirements. The data breach notification provisions in the amendment to PIPEDA are set out in Division 1.1 of PIPEDA, but are not yet in force.

On September 2, 2017, the proposed regulations to implement the data breach reporting requirements were published for consultation.

The proposed regulations align closely with what is required for mandatory data breach reporting in Alberta and in the European Union.

With the proposed regulations, organizations that experience a data breach must:

  • determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach;
  • when a breach poses a real risk of significant harm, notify the affected individual(s) and report to the Privacy Commissioner of Canada as soon as feasible;
  • notify any other organization that may be able to mitigate harm to affected individuals; and
  • maintain a record of any data breach and provide it to the Commissioner upon request.

For more information, see: http://canadagazette.gc.ca/rp-pr/p1/2017/2017-09-02/html/reg1-eng.php

Summary By: Jae Morris

E-TIPS® ISSUE

17 09 20

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

By Jae Morris
Deeth Williams Wall September 20, 2017 September 20, 2017 September 20, 2017
Information Technology