Starting November 1 2018, companies governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), will be required to report data breaches to affected customers, third parties and the federal Privacy Commissioner. These companies in all provinces except Alberta, British Columbia and Québec, as well as federally-regulated businesses such as banks and telecommunications companies, will be covered by the upcoming data breach notification obligations.
The Digital Privacy Act, the Act amending PIPEDA, imposes notification obligations on organizations if it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to the individual. Should this harm threshold be exceeded, then organizations are required to notify:
- the Privacy Commissioner;
- the affected individual(s); and
- any organization that can mitigate the harm, or risk of harm, caused by the breach.
The associated Breach of Security Safeguard Regulations, also to come into force on November 1, 2018, will elaborate on an organization’s data breach reporting obligations. Specifically, they will specify the content, form and manner of notification and provide additional details with respect to an organization’s record keeping requirements.
Summary By: Jae S. Morris
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
