Skip to content

Client Update: Does your business need a spring privacy tune-up? Breach reporting and Europe’s GDPR are about to hatch

Rob Aske

The arrival of spring should bring thoughts of renewal… to your privacy practices.

Breach reporting under PIPEDA

Canada’s federal privacy law known by the acronym PIPEDA (Personal Information Protection and Electronic Documents Act) will now add privacy breach reporting as of November 1, 2018.

These breach reporting requirements were passed in 2015, but were not put into force as we waited for certain regulations to be proposed. But these regulations have now been published and with General Data Privacy Regulation coming in Europe in late May (see below), it was expected that Canada’s federal government would put the breach reporting provisions into force soon, and the November 1 implementation has just been announced.

The gist of the breach reporting obligations is as follows:

A business will be required to report to the Privacy Commissioner a breach involving personal information (“PI”) under its control, if it is reasonable to believe that the breach creates a real risk of significant harm to the individual.

Significant harm is defined to include humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Factors relevant to the real risk of significant harm include sensitivity of the PI, and the probability that it may be misused.

The report to the Commissioner would need to describe the breach, when it occurred, the PI that is subject, the estimated number of individuals affected, and the steps that the organization is taking in response.

The business would also need to notify individuals whose PI is involved, if that breach creates a real risk of significant harm to the individual.

The notice to the individual would need to describe the breach, when it occurred, the PI affected, the steps the organization is taking, plus information about the business’ complaints process and the individual’s rights under PIPEDA.

The business could be obliged to notify other organizations or government if the business believes that these other bodies may be able to reduce the risk of harm.

Another big change with this new legislation is that businesses shall be obliged to keep and maintain records of EVERY breach of security safeguards involving PI; i.e. whether or not it meets any particular harm test. In addition, businesses must, on request, provide the Commissioner with access to copies of these records.

In other words (cynically speaking), businesses will be obliged to maintain records which will help the Commissioner and any claimant build a case against the business.

The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred. In addition, these records, must enable the Commissioner to verify compliance with the business’ reporting obligations to the Commissioner and to individuals, if there has been a breach which creates a real risk of significant harm.

Any breach of these obligations may result in the business being charged with an offence, which could result in a fine not exceeding $100,000.

The obligation to report privacy breaches is not new to many jurisdictions, but will be new to much of Canada, and compels every business to tune up their privacy practices. And if your business deals with European customers, there’s more….

Europe’s General Data Privacy Regulation (“GDPR”) in force on May 25, 2018

This new law applies to both “controllers” and “processors” of PI. Controllers are those front line organizations (visible to the customer) that determine the purposes and means of processing PI, while a processor may process PI on behalf of the controller.

The GDPR can apply to a business which may not be established in the European Union (“EU”), if that business is offering goods and services to EU residents.

The GDPR takes individual consent to a higher level, requiring a freely given, specific, informed and unambiguous indication of the individual’s wishes, by which they offer a “clear affirmative action” to confirm their agreement to processing of their PI. Any PI collection must be specific, explicit and for legitimate purposes, and PI cannot be further processed in a manner that is not compatible with those purposes. Most interpret the GDPR’s consent provisions as requiring a positive opt-in, which is separate from other terms and conditions. The language must be plain. The right to withdraw must be as easy as giving consent, and must be available at any time. A child below 16 years must provide the consent of their parent or guardian.

Individuals have the right to obtain from controllers information about the processing of their PI including purposes of processing, categories of PI involved, recipients of PI, the period of retention, the identity of third parties providing any of the PI, and more.

EU residents will now have the so-called “right to be forgotten”, which requires the controller to erase PI without undue delay, provided that the PI is no longer necessary, and certain other conditions are met. Individuals will also have right to data portability, requiring controllers to transmit data to other controllers.

Processors may have potential direct liability, even though they may only be acting for the controller, and may not have any relationship with the individuals whose personal data is involved.

The GDPR also has obligations to notify individuals of data breach, similar terms to those outlined for PIPEDA above.

The GDPR gives individuals the right to an effective judicial remedy if their privacy rights have been infringed, including the right to receive compensation from the controllers and processors. The privacy authorities also have the right to levy fines for breach, which in some cases can go as high as €20 million, or 4% of total worldwide annual revenue for the preceding financial year, whichever is higher.

So if your organization has potential exposure in dealing with PI of Europeans, a close look at the obligations under GDPR is likely warranted.

SHARE

Archive

Search Archive


 
 

CAPSA releases guidelines on Capital Accumulation Plans and Pension Plan Risk Management

September 11, 2024

Level Chan and Dante Manna On September 9, 2024, the Canadian Association of Pension Supervisory Authorities (CAPSA) released the long-awaited final revisions to Guideline No. 3 – Guideline for Capital Accumulation Plans (CAPs) and the…

Read More

Nova Scotia legislative update: “Stronger Workplaces for Nova Scotia Act” – Bill No. 464

September 6, 2024

Sean Kelly and Tiegan A. Scott On September 5, 2024, the “Stronger Workplaces for Nova Scotia Act” (Bill No. 464) was introduced in the Nova Scotia House of Assembly for first reading by the Honourable Jill Balser…

Read More

Historic human rights ruling: Alberta tribunal sets record with landmark damages award, redefining the rules on compensation and deterrence

September 3, 2024

John A.C. Morse and Lauren Sorel The Human Rights Tribunal of Alberta (the “Tribunal”) recently awarded three complainants a total of $273,274.91 in compensation, with $155,000.00 of this amount designated as general damages – a…

Read More

Zoning changes and constructive taking: Newfoundland and Labrador Court of Appeal affirms the finding in Index v Paradise

August 28, 2024

Stephen Penney and Megan Kieley1 The Newfoundland and Labrador Court of Appeal’s recent decision in Index Investments Inc v Paradise (Town)2 is a significant decision for municipalities. The Court of Appeal endorsed the Newfoundland and…

Read More

Immigration red flags: five organizational issues that open employers to risk

August 15, 2024

By Kathleen Leighton & Brittany Trafford The Temporary Foreign Worker Program (“TFWP”) and International Mobility Program (“IMP”) provide Canadian employers the opportunity to hire foreign workers to address their labour needs, particularly when qualified Canadians…

Read More

Supreme Court of Canada denies leave to appeal of Alberta ruling on post-death life insurance conversion (Part II)

August 15, 2024

This is the second in a two-part Thought Leadership series on a recent life insurance case out of Alberta, and the implications for life insurers. Michelle Chai and Liz Campbell1 Part I of this two-part series…

Read More

Changing the rules again: Another round of changes impacting Canada’s Competition Act

August 14, 2024

By Deanne MacLeod, K.C., Burtley G. Francis, K.C., and David F. Slipp On June 20, 2024 the Fall Economic Statement Implementation Act, 2023 (the “Economic Statement”) received Royal Assent and became law. The Economic Statement…

Read More

Supreme Court of Canada denies leave to appeal of Alberta ruling on post-death life insurance conversion

August 13, 2024

This is the first in a two-part Thought Leadership series on a recent life insurance case out of Alberta, and the implications for life insurers. By Michelle Chai and Liz Campbell1 The Supreme Court of…

Read More

Canada’s investment in hydrogen has substantial implications for the Atlantic Canadian wind power sector

August 6, 2024

This articles follows our recent Thought Leadership piece on the Federal Government’s announcement of significant investment through the Smart Renewables and Electrification Pathways Program in Nova Scotia clean energy projects. By Dave Randell, Sadira Jan,…

Read More

New announcements in the Canada-Nova Scotia partnership for the clean energy future

August 1, 2024

By David Randell, Sadira E. Jan, Daniel Mowat-Rose, and Marina Luro1 Natural Resources Canada has released two important announcements relating to Nova Scotia’s transition to a green economy: Collaboration framework for a sustainable future Canada’s…

Read More

Search Archive


Scroll To Top