Canadian Confidential: Mandatory Data Breach Notifications under PIPEDA

While businesses and consumers were all agog to see the latest variation of the California Consumer Privacy Act passed earlier this year, Canada quietly introduced its latest permutation to the Personal Information Protection and Electronic Documents Act (PIPEDA), which imposes new mandatory breach notification obligations on companies engaged in the collection of Canadians’ personal information. U.S. companies engaged in business across the northern border or that collect personal information of Canadian citizens in the United States should take heed because PIPEDA’s reach is far ranging.

By way of background, PIPEDA is built upon a foundation of 10 fair information principles – accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance. Keen observers may note similarities with certain principles announced in the General Data Protection Regulation’s (GDPR)’s Recitals, but Canada’s 10 principles hew to the tenets set forth in the Model Care for the Protection of Personal Information, which has been recognized as a Canadian national standard since 1996. With these principles in mind, on April 13, 2000, Canadian legislators enacted PIPEDA, which was later amended by the Data Privacy Act on June 18, 2015. The Data Privacy Act set forth new mandatory breach notification obligations, but these obligations were put on hold until November 1, 2018.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based. Moreover, Canadian courts have ruled that U.S. companies with no operations in Canada may still be subject to PIPEDA if they collect the personal information of Canadian citizens. Even the indirect collection of Canadians’ personal information, such as through a service contract, would subject a U.S. company to PIPEDA. In short, U.S. companies should be hyper aware of any transaction that could involve the collection of Canadians’ personal information and ensure that their business practices are compliant with PIPEDA.

There are three main mandatory breach notification obligations as set forth under PIPEDA. First, an organization subject to PIPEDA must keep records of all situations involving a “breach of security safeguards,” which is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information. “Personal information” is defined quite broadly to apply to any information that can be linked to an individual and includes such mundane information as age, name, ID numbers, income, and ethnic origin, but also includes out of the ordinary information such as blood type, opinions, evaluations, comments, and social status, among others. That said, exclusions exist for businesses collecting, using, or disclosing certain business contact information of an individual solely for the purpose of communicating or facilitating communication with the individual in relation to the individual’s employment, business, or profession. A “commercial activity” is any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Second, covered organizations must provide written notice of a breach to the Privacy Commissioner of Canada if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. The report to the commissioner would need to describe the breach, when it occurred, the personal information at issue, the estimated number of individuals affected, and the steps that the organization is taking in response.

Third, covered organizations must notify affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. In addition to the information that should be provided to the commissioner, the notice to the individual would need to include information about the business’ complaints process and the individual’s rights under PIPEDA.

Additionally, businesses are obligated to keep and maintain records of every breach of security safeguards. They also must, on request, provide the commissioner with access to copies of these records. The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred.

Any breach of these obligations may result in the imposition of a fine not exceeding $100,000 for each time an individual is affected by a security breach.

Unlike the notice to the commissioner that must be in writing, an organization can notify affected individuals in person, by telephone, via mail or email, or any other form of communication that a reasonable person would consider appropriate in the circumstances. In a nod to the practicalities of an organization dealing with the immediate aftermath of a breach, PIPEDA only requires notice to be provided “as soon as feasible.”

Unlike the American privacy system, which is a hodgepodge of state and federal laws, the Canadian approach is unified and comprehensive. U.S. companies should review their privacy policies and update their incident response plans to account for data of Canadian citizens. Failure to do so may result in financial damages as well as reputational loss. With these amendments to PIPEDA, Canada is cementing its position as a protector of its citizens’ privacy. Those doing business in the Great White North should engage accordingly.