snIP/ITs Insights on Canadian Technology and Intellectual Property Law

Canadian Federal Government Revives Amendments to PIPEDA – Part I: What Canadian Businesses Need to Know About the Proposed Breach Notification Provisions

Posted in Privacy

If the recently tabled Bill C-12 is enacted, organizations governed by Canada’s private sector privacy legislation will be required to notify the federal Privacy Commissioner of any material privacy breaches involving personal information. The Bill, Safeguarding Canadians’ Personal Information Act, is a copy of the previous Parliament’s breach notification bill, Bill C-29, which died on the order paper. 

Many countries have laws in place that require organizations facing a data breach scenario to notify affected parties. In the United States, California was the first state to enact such a law, which required any person or business that owns computerized data to notify any resident of California whose unencrypted personal information was acquired by an unauthorized person. Since then, every state other than Alabama, Kentucky, New Mexico and South Dakota have enacted similar security breach notification laws. The European Union similarly amended the Directive on Privacy and Electronic Communications in 2009 to include a breach notification component.

Currently, Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not explicitly require organizations to disclose whether they have faced a data breach.  If enacted, Bill C-12 will implement several amendments to PIPEDA, chief among which is a breach notification requirement. The first part of this blog post answers some questions about the breach notification amendments in Bill C-12, the second part will examine the other amendments to PIPEDA.

Who will be subject to the breach notification requirements?

Organizations operating in the Canadian private sector, except in Alberta, BC and Québec, will be subject to the requirements. Organizations dealing exclusively with customers in Alberta will be subject to the existing breach notification requirements in that province. The amendments will not apply to organizations dealing exclusively with customers in BC and Québec, although chances are those provinces will consider similar amendments to their provincial private sector privacy statutes.

Under Bill C-12, when will organizations need to notify the federal Privacy Commissioner?

Organizations will need to notify the Privacy Commissioner of Canada of any material breach of security safeguards involving personal information under their control.

What constitutes a “material breach” under Bill C-12?

Materiality will be determined by considering a number of factors including:

  • the sensitivity of the personal information;
  • the number of individuals whose personal information was involved; and
  • whether the cause of the breach or a pattern of breaches indicates a systemic problem.

When do organizations need to notify affected individuals?

Organizations will have to notify individuals if the breach creates a real risk of significant harm to individuals.  If there is such a risk, a business must notify individuals, even if the organization does not have to report the breach to the commissioner because the breach does not meet the materiality threshold.

Significant harm is defined in the bill to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”

What other breach notification requirements apply in Canada’s private sector and how do they differ from Bill C-12’s breach notification requirements?

Alberta is currently the only province with a breach notification law that applies to the private sector (for non-health information – some provinces have breach notification requirements in place that deal with personal health information).  Under Personal Information Protection Act (PIPA), Alberta companies, facing a data breach, must notify the Privacy Commissioner of Alberta if “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”  The Alberta Privacy Commissioner then determines whether affected individuals are to be notified.

The chart below compares the breach notification requirements in Alberta under PIPA and federally, under Bill C-12.

  Alberta (PIPA) [in force] Federal (Bill C-12) [proposed]
     
What is the threshold for notifying the Privacy Commissioner? Real risk of significant harm to an individual “Material” breaches of security safeguards (materiality is determined by a number of factors including the number of individuals affected)
     
What is the threshold for notifying affected individuals? The Commissioner may require an organization to notify individuals to whom there is a real risk of significant harm. An organization must notify individuals where there is a real risk of significant harm to the individual.
     
Who decides whether individuals
are to be notified?
Privacy Commissioner Organization
     
What are the penalties for non-compliance? Individuals – $10,00
Organizations – $100,000
None specified (but Federal Court can award damages for contraventions of PIPEDA)

 

Interestingly, the standard that triggers notification to the Privacy Commissioner of Alberta is used as the standard to notify affected individuals under Bill C-12, and the Bill creates a lower standard under which the federal commissioner needs to be notified. Unless the Alberta privacy statute is amended, organizations operating solely in Alberta will be required to meet the higher standard even if Bill C-12 comes into force.

If organizations are required to notify the Privacy Commissioner of a breach, what information should they provide to the commissioner?

The Privacy Commissioner has suggested that organizations provide her with the following information:

  • the fact that a privacy breach occurred and a description of the circumstances surrounding the breach (date, location, cause);
  • the type of personal information that is involved;
  • the estimated number of individuals affected;
  • the steps the organization has taken to mitigate the harm, and any likely further steps; and
  • the people or organizations whom the organization has already notified and the date of the notification