Many assume that, with the advent of privacy statutes, companies have been required to notify their customers, or the relevant statutory authority, in the case of a data breach or improper accessing of customer data.  However, to date, for the vast majority of provinces and territories in Canada, that has not been the case, and the choice of whether or not to tell even those whose personal data has been improperly accessed, or leaked, has been in the discretion of the party that failed to keep it safe. That is about to change.

New Rules

The Order in Council 2018-0369 dated March 26, 2018, has confirmed that later this year, new provisions and regulations requiring organizations to notify Canadian consumers when their personal information is breached will come into effect. As of November 1, 2018, Canadian companies governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA") will be required to report data breach incidents to the Office of the Privacy Commissioner of Canada (the "Commissioner") and to notify affected individuals and third parties.

Organizations will be required to notify the Commissioner in the event of a data breach. The new rules provide that the Commissioner must receive a written report containing details of the breach. This must include an estimate of the number of affected individuals who may be at risk of significant harm as a result of the breach. The Commissioner must also be made aware of the personal or private information that was compromised and what the organization plans to do to reduce the risk of harm to those affected. Further, the organization must provide to the Commissioner details of the organization's plan to notify affected individuals. With this information, the Commissioner can then decide if it is necessary to initiate an investigation into the circumstances of the breach and report to Parliament on how the provisions and regulations are being complied with.

The new rules require that those affected be notified "as soon as feasible after an organization determines that a breach has occurred." Organizations will be required to provide the following information to affected consumers and individuals: 

  • Information about the circumstances of the breach;
  • The date of breach or the period in which the breach took place;
  • The information that is the subject of the breach;
  • The steps taken by the organization to reduce the risk of harm to any affected individual;
  • Possible steps that an affected individual could take to reduce the risk of harm to themselves resulting from the breach;
  • A toll-free number or email address for affected individuals to contact for further information; and
  • Information concerning how an affected individual could file a complaint with the commissioner.

Organizations may also be required to notify other organizations or third parties of the privacy breach if the organization believes the other organization or third party may be able to mitigate harm to affected individuals.

 High-Profile Data Breaches

The enactment of PIPEDA's notification regime comes in a timely manner. Recently, many high-profile companies have made headlines for large-scale privacy incidents.

Facebook is in the midst of its worst privacy scandal to date, following allegations that the data mining firm, Cambridge Analytica, misused the private data of more than 87 million Facebook users, allegedly to manipulate public opinion by microtargeting customers based on their private data. Several hundred thousand Canadians are thought to have had their data improperly used and, notably, despite knowing of this for years, there is no indication that Facebook ever told its users before a whistleblower effectively did.  

In 2016, Uber Canada was the subject of a privacy breach that placed the personal information of over 800,000 Canadian users at risk. In November of 2017, it had been revealed that Uber waited an entire year to notify affected individuals. Alberta, being the only Canadian jurisdiction that already has a mandatory breach notification regime in place, took sanctions against the transportation provider. The Alberta privacy law framework requires that all privacy breaches be reported to the Alberta Information and Privacy Commissioner. Uber failed to notify users that their personal data had been stolen until ordered to do so by the Alberta Information and Privacy Commissioner.

"Significant Harm" Threshold

Under the new regulations, notification will be required in circumstances that create a "real risk of significant harm to the individual." In this context, the definition of "significant harm" is broad and includes, but is not limited to, risk of bodily harm, damage to reputation or relationships, humiliation, loss of employment or opportunity, financial loss, identity theft and damage to or loss of property.

Organizations will retain some discretion in determining whether a data breach has created a real risk of significant harm to those affected. In other words, private sector organizations governed by PIPEDA will be left to decide whether the risk of significant harm to users resulting from a privacy breach warrants notification. Organizations that knowingly fail to report to the Commissioner or those affected of a breach that poses a real risk of significant harm will run the risk of being fined up to $100,000.

Jurisdiction

The PIPEDA amendments will apply to organizations that are governed by PIPEDA. Alberta, British Columbia and Quebec each have similar Acts. BC and Alberta each have a Personal Information Protection Act (PIPA). The provincial laws under both the Alberta and the BC PIPA are considered to be substantially similar to PIPEDA and therefore govern private sector privacy in those provinces. However, this does not mean that PIPEDA notification requirements are not relevant in BC. PIPEDA will apply to any business that operates in a province that is not subject to substantially similar provincial legislation.

Prevention is the Best Option

The new mandatory breach notifications place greater obligations on organizations governed by PIPEDA. While organizations will be turning their minds to crafting their privacy breach notification plans, consumers and individuals should be considering ways to better protect themselves from the risks associated with possible data breaches, including greater consideration of what data to share or provide, and to whom, as well as better scrutinizing the terms of use of sites or organizations with which they share their information. Consumers have long taken as a given in the abstract that the price of free services is the provision of certain personal information, but that bargain merits greater scrutiny, even as stricter regulations are coming online.  PIPEDA's mandatory data breach notification regime is certainly a step in the right direction but when it comes to protecting private data, prevention is still the best option to avoid any "real risk of significant harm."

With thanks to articling student Aman Sara for her assistance drafting this post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.