Canada Publishes Final Regulations on Mandatory Reporting of Privacy Breaches

Maki DePalo
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

On April 18, 2018, the Canadian government published final regulations which include mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA).  These new obligations will come into force on November 1, 2018.

PIPEDA applies to private-sector organizations and sets out the ground rules for how businesses must handle personal information in the course of commercial activity, explains the Office of the Privacy Commissioner of Canada (Commissioner).  The Regulatory Impact Analysis Statement (RIAS) accompanying the publication of the final regulations highlights four objectives of the Regulations as follows: 1) ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them; 2) ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach; 3) ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm; and 4) ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.  To meet these objectives, the final regulations primarily address reporting obligations to the Commissioner; notification obligations to affected individuals; and record-keeping obligations.  Note the RIAS highlights the final Regulations were also drafted with a view to harmonizing the requirements under the General Data Protection Regulation (GDPR) to the extent possible.

The introduction of these obligations in PIPEDA is said to represent a sweeping change to the conduct of commercial activities in Canada.  In addition, the new obligations will likely present new costs, risks and challenges for organizations, regardless of the size of the organizations, in connection with their legal risk management, compliance, incident response planning and preparedness, and additional liability and regulatory exposures.

For more information, please see “New Rules for Mandatory Privacy Breach Notification in Canada” published by the Canadian law firm, Fasken.  For more information on the relevant PIPEDA provisions and the proposed regulations, and their comments on potential implications for organizations subject to PIPEDA at https://www.fasken.com/en/knowledgehub/2018/04/important-new-rules-for-mandatory-privacy-breach-notification.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide