Canada Publishes Final Regulations on Mandatory Reporting of Privacy Breaches

Written by

On April 18, 2018, the Canadian government published final regulations which include mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA).  These new obligations will come into force on November 1, 2018.

PIPEDA applies to private-sector organizations and sets out the ground rules for how businesses must handle personal information in the course of commercial activity, explains the Office of the Privacy Commissioner of Canada (Commissioner).  The Regulatory Impact Analysis Statement (RIAS) accompanying the publication of the final regulations highlights four objectives of the Regulations as follows: 1) ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them; 2) ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach; 3) ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm; and 4) ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.  To meet these objectives, the final regulations primarily address reporting obligations to the Commissioner; notification obligations to affected individuals; and record-keeping obligations.  Note the RIAS highlights the final Regulations were also drafted with a view to harmonizing the requirements under the General Data Protection Regulation (GDPR) to the extent possible.

The introduction of these obligations in PIPEDA is said to represent a sweeping change to the conduct of commercial activities in Canada.  In addition, the new obligations will likely present new costs, risks and challenges for organizations, regardless of the size of the organizations, in connection with their legal risk management, compliance, incident response planning and preparedness, and additional liability and regulatory exposures.

For more information, please see “New Rules for Mandatory Privacy Breach Notification in Canada” published by the Canadian law firm, Fasken.  For more information on the relevant PIPEDA provisions and the proposed regulations, and their comments on potential implications for organizations subject to PIPEDA at