Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been law for some time, but new federal data breach and compromise notification requirements went into effect, today, November 1, 2018.
The main points of the law include requiring businesses to report a breach to the government if any individual’s personal information is compromised and the potential loss of data represents “significant harm” to said individual. Breaches must now be reported to the Privacy Commissioner as well as the affected individuals. Detailed information about the breach itself, the nature of the personal information lost, the likelihood of damage stemming from the compromised data, and the steps taken to mitigate potential fallout are all now required.
A record of the breach must be maintained for 24 months, and non-compliance with PIPEDA could lead to fines up to $100,000.
As with the European Union’s GDPR, critics have derided the open-ended nature of the language of the legislation (breaches need to be reported “as soon as feasible,” which leaves room for interpretation) as well as skepticism of the Privacy Commissioner’s ability to keep pace with breach notifications as they occur.
While current Privacy Comissioner Daniel Therrien has indicated that his office is understaffed and would only be able to pay superficial attention to most reports, companies should assume that the government will enforce the new regulation.
Read the Canadian government documentation of PIPEDA here.