Are you complying with Canada’s Digital Privacy Act, which became law in June, 2015 and amends PIPEDA?

There are now three breach reporting requirements, and significant financial penalties for contravening them.

“Law-abiding citizens value privacy. Terrorists require invisibility. The two are not the same, and they should not be confused.” David Frum & Richard Perle[i]

Privacy laws with penalties have been in force for some time now in 47 of 50 U.S. States. In most Canadian Provinces and Territories however, this has not been the case – until now. The long awaited amendments to The Personal Information Protection and Electronic Documents Act (PIPEDA), called the Digital Privacy Act, received Royal assent on June 18, 2015. Bill S-4 is now law in Canada. Although Cabinet has not yet proclaimed the Act’s breach reporting provisions in force, Canadian businesses should be preparing to comply with them. U.S. businesses with offices in Canada or business partners in Canada should also take note of this important legislation, as their interests will now have new special requirements as described below.

An Organization’s Obligations

There are now three breach reporting requirements “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” as follows:

1. Reporting to the Privacy Commissioner;
2. Reporting to the individual;
3. Reporting to agencies that can reduce harm to the individual.

Significant Harm

In this context significant harm is now broadly defined and “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Consequences for non-Compliance

The Commissioner’s office may disclose information about an organization’s personal information (PI) management practices to the public if it believes disclosure to be in the public interest. The Commissioner’s office can enter into compliance agreements with organizations that it believes are, or may be, subject to breaches. Anyone who knowingly contravenes these requirements is subject to a penalty of up to $10,000 on summary conviction or $100,000 on indictment.

What does this mean in the context of cyber risk management?

It is now a requirement of Canadian organizations to report cyber breaches which may cause “significant harm” (as described above) to both the Privacy Commissioner and to the individual(s) affected. They may also be required to notify other organizations, such as law enforcement, should damage caused by the breach potentially be mitigated.
More than anything else, this development will substantially increase awareness of the extent cyber breaches involving personally identifiable information are occurring in Canada. As a result organizations of all sizes and sectors will now be more likely to take this important subject much more seriously. Not only may financial penalties be levied, considerable damage to the organization’s reputation may result as a result of public notification and disclosure.