Canada: Proposed regulations a “necessary precursor” to breach notification regime

7 September 2017

The Canadian Federal Government (‘the Government’) published, on 2 September 2017, proposed regulations (‘the Proposed Regulations’) on the breach of security safeguards provisions introduced by the Digital Privacy Act 2015 into the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’). In particular, the Proposed Regulations, which follow a consultation with businesses across Canada, detail how organisations will be required to notify affected individuals and elaborate on the data breach record keeping requirements under PIPEDA.

Keith Rose, Associate at McCarthy Tetrault LLP, told DataGuidance, “The Proposed Regulations are a necessary precursor to bringing into effect the breach reporting and notification regime that was passed in 2015. They will apply to private sector organisations, except in provinces that have separate legislation that has been deemed substantially similar to PIPEDA. The Proposed Regulations aim to ensure consistency in the information provided to the Office of the Privacy Commissioner of Canada (‘OPC’) and to individuals, while preserving flexibility for organisations. Moreover, they also attempt to achieve sufficient alignment with obligations under the General Data Protection Regulation (Regulation (EU) 2016/679), to assist in preserving the adequacy decision that permits organisations to transfer personal information to Canada.”

The Proposed Regulations elaborate on existing requirements for direct notification to individuals affected by a breach. Additionally, the Proposed Regulations specify that indirect notification, either on the organisation’s website or through an advertisement likely to reach the affected individuals, may be permitted where direct notification would be unfeasible or not in the interest of such individuals.

Organisations will [also] welcome the flexibility of indirect notification in some circumstances

Timothy Banks, Partner at Dentons Canada LLP and Canadian Lead for Dentons’ Global Privacy and Data Security practice, outlined, “The Government has heard industry and has provided organisations with the ability to provide direct notifications by email or other secure electronic means to which the individual consented as well as by traditional mail or by notification in person. Organisations will [also] welcome the flexibility of indirect notification in some circumstances. Moreover, another interesting aspect of the Proposed Regulations is that they require organisations to notify individuals of their right to complain to the OPC. This requirement ignores the fact that in many cases, the organisation is a victim who may have met the standard of care but whose security systems were nevertheless breached. We expect that this will create unnecessary complaints to the OPC, which will only result in further and unnecessary burdens on organisations.”

The Proposed Regulations also expand on the content of a report on the breach to be submitted to the OPC and to individuals, which must include a description of the circumstances of the breach, the personal information subject to the breach, the number of individuals that the breach could affect, and the steps the organisation has taken to reduce the risk of harm resulting from the breach.

“Perhaps more significantly, the Proposed Regulations could have clarified the circumstances when organisations will be required to notify third party organisations and government institutions. In the absence of such clarification, the obligation is on the organisation to assess which third parties may be able to reduce the risk of or mitigate the harm resulting from the breach, which many organisations may struggle with. Further, notification to such third parties is mandatory, with no conditioning language, ie. ‘unless otherwise prohibited by law.’ There are requirements or practices that exist in other regimes, for instance, anti-money laundering, that prohibit disclosure of certain events. Clarification of these priorities would have been welcome.”

Interested persons may make submissions on the Proposed Regulations until 14 September 2017.

Kaveh Lahooti | Privacy Analyst