The focus initially was to prepare Canadian companies doing business in the European Union dealing with its residents’ data in order to be compliant with the new requirements under that continent’s General Data Protection Regulation coming into force May 25.
Companies are required to report a personal data breach within 72 hours of becoming aware of it.
The GDPR requires that any data breaches that risk the rights and freedoms of EU residents’ data be reported, whether or not the company is based in the EU.
Canada had introduced similar legislation through the Digital Privacy Act in 2015.
In March 2018, the federal cabinet issued an order-in-council indicating that Canadian mandatory data-breach disclosure rules will go into effect in November, three years after being introduced through legislation. Chantal Bernier, who leads Dentons Canada LLP’s privacy and cybersecurity practice, says she has advised her clients that they could prepare for both sets of rules at the same time.
“I said to my clients, ‘Why don’t we do two in one?’” says Bernier, who previously served as the interim privacy commissioner and assistant commissioner of the Office of the Privacy Commissioner of Canada. “The words are different in each legislation, but in both cases, the test is the same.”
In Canada, the requirement to report is when there is risk of significant harm to an individual. In the event of a data security breach dealing with personal information, Canadian organizations governed by the Personal Information and Electronic Documents Act must notify those who are affected and they must report to the OPC.
In order to prepare, organizations should develop a governance process about who will make the decision on whether or not notification is necessary, says Bernier. They also need to determine the criteria specific to the work it does and the data it handles that would lead them to notify officials of a breach. Wendy Mee, a partner at Blake Cassels & Graydon LLP, who works in privacy and information governance, sees the rollout of the Canadian legislation as almost being a necessity for international trade.
“I definitely think we need a federal data-breach reporting regime, if for nothing else but to improve the likelihood that we will continue to be adequate under the GDPR in Europe,” says Mee.
Under existing European law and under the GDPR, European companies can transfer data to organizations in Canada that are subject to PIPEDA because the Canadian legislation meets the EU’s adequacy threshold. But that decision is up for review.
Canada’s new mandatory data-breach reporting rules, which have a similar objective to those launched in the EU, bridges what could have been a gap between the requirements in the two jurisdictions, says Mee.
“It’s a good thing for the Canadian economy so we want to keep that. So I think having a mandatory breach-notification regime under PIPEDA will help if and when [the EU] review happens to make sure PIPEDA is still adequate,” says Mee. Although the Canadian rules are a long time coming, preparing for their rollout later this year could be a lot of work.
Some businesses may not have the infrastructure in place to accommodate all the requirements, says David Elder, Stikeman Elliott LLP’s chief privacy officer and chairman of its communications group in Ottawa.
“They will have some work to do really in just creating clear roles about who handles what reporting channels and employee awareness about what to flag so it can be investigated and determined if there was a breach,” he says.
Another aspect of the new Canadian rules is causing some consternation.
Companies are also required to keep a record of all breaches, no matter how small, says Elder.
This is something Elder says is not typically required by other privacy laws in other jurisdictions. The record-keeping requirement is to include any breaches that are not reportable. In this circumstance, data breaches are broadly defined so small, incidental acts could include leaving a purchase order on a table where others can see it or even open discussion about a client’s preferences, says Elder.
He feels businesses could be challenged to make a call about imposing their own threshold on what they should and shouldn’t record and then train the people on the frontlines who might cause these breaches.
Mee also says companies and organizations need to keep a record of every breach of security safeguards, regardless of the harm threshold, which will be very challenging for organizations.
She says setting up the necessary system to accommodate the record-keeping requirement, including implementing policies and conducting training, can be onerous.
The purpose is to have that information on hand to demonstrate compliance with the reporting obligations, she says, but there is potential for that information to be used in future claims.
“[Organizations covered by the record-keeping legislation are] going to have a record of all these breaches that have occurred, if there was ever a really big breach and [if] there was litigation as a result of that. All of this stuff is discoverable,” says Mee.