Written By Stephen D. Burns, J. Sébastien A. Gittens, Martin P.J. Kratz QC, and Kees de Ridder
This article focuses on breach notification requirements. For a more general comparison of these enactments, please see our companion piece here.
|
GDPR |
PIPEDA |
PIPA |
|
| What event triggers the obligation? | Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that has been transmitted, stored, or otherwise processed is subject to the breach reporting rules. | A breach of security safeguards involving personal information is subject to the breach reporting rules. | Any incident involving the loss of or unauthorized access to or disclosure of personal information is subject to the breach reporting rules. |
| Is there a threshold standard when reporting is mandatory? | Notification must be given unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. | An organization must report any breach of security safeguards involving personal information if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. | Notification of a breach must be given where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss, or unauthorized access or disclosure. |
| Does the law define factors that influence the risk or harm? | No. | Definition: "significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." Factors indicating a real risk of significant harm are the sensitivity of the personal information involved in the breach; and the probability that personal information has been, is being or will be misused. |
No. |
| Does the law define how quickly one must report? | The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
The controller shall, within 72 hours of becoming aware of a breach, notify the supervisory authority. Where notification is not made within 72 hours, reasons must be given for the delay. When it would cause undue delay to provide the required information at the same time, the information may be provided in phases. |
The notification must be given as soon as feasible after the organization determines that the breach has occurred. | >Notification must be given without unreasonable delay. |
| Reporting to the commissioner? | Controllers must notify the supervisory authority of the given EU member state. | Yes, to the federal Privacy Commissioner (in this column, the "Commissioner"). | Yes, to the provincial Information and Privacy Commissioner (in this column, the "Commissioner"). |
| Does the law prescribe what must be reported to the commissioner? |
The notice must contain: (a) a description of nature of personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) the name and contact details of the data protection officer or other contact person; (c) a description of the likely consequences of the personal data breach; and (d) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate possible adverse effects. |
The notice must contain: (a) a description of the circumstances of the breach; (b) the day on which, or the period during which, the breach occurred; (c) a description of the personal information involved in the breach; (d) an estimate of the number of individuals to whom there is a real risk of significant harm; (e) a description of any steps the organization has taken to reduce the risk of harm; (f) a description of any steps the organization has taken to notify individuals of the breach; and (g) the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner's questions about the breach. |
The notice must contain: (a) a description of the circumstances of the breach; (b) the day on which, or the period during which, the breach occurred; (c) a description of the personal information involved in the breach; (d) an assessment of the risk of harm to individuals as a result of the breach; (e) an estimate of the number of individuals to whom there is a real risk of significant harm; (f) a description of any steps the organization has taken to reduce the risk of harm; (g) a description of any steps the organization has taken to notify individuals of the breach; and (h) the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner's questions about the breach. |
| What sanction arises if one fails to report to the commissioner? | The supervisory authority of the given EU state may issue orders, warnings, or reprimands (including administrative fines) against a controller or processor. |
It is an offence to fail to provide notice to the Commissioner, and may result in a fine of up to $100,000 for an organization. The Court may order the organization to: correct its practices; and publish a notice of any action taken to correct its practices. |
It is an offence to fail to provide notice to the Commissioner, and may result in a fine of up to $100,000 for an organization. |
| Reporting to the individual? | When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. | An organization shall notify an individual of any breach of security safeguards involving the individual's personal information under the organization's control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. | The Privacy Commissioner may require the organization to notify individuals' of the loss of their personal data. |
| Does the law address reporting to others? | No. | An organization that notifies an individual of a breach of security safeguards shall notify any other organization, including government institutions, of the breach if the notifying organization believes that the other organization concerned may be able to reduce the risk of harm. | No. |
| Does the law prescribe what must be reported to the individual? | The notice must include:
|
The notice must include:
|
The notice must include:
|
| Does the law permit indirect notification of individuals? | Yes, provided that notifying the individual or individuals would involve "disproportionate effort." |
Yes, provided that:
|
Notification may be given to an individual indirectly if the Commissioner so allows. |
| What sanction arises if one fails to report to the individual? |
The data subject has the right to:
|
The Court may order the organization to:
|
The Commissioner may make any order it considers appropriate. The Court may order the organization to pay damages to the complainant for loss or injury. |
| Does the law mandate record keeping requirements? | The controller shall document any personal data breaches, including facts relating to the breach, its effects, and the remedial action taken. This documentation will allow the supervisory authority to verify compliance with the GDPR. |
|
PIPA does not impose any specific requirements to keep records related to breaches. |
| Does the law contemplate exemptions to the notification responsibilities? |
Notice to the individual is not required in any of the following circumstances:
|
The organization is not required to notify the individual of a breach if doing so is prohibited by law. The organization is not required to notify the Commissioner or the individual if it is not reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. |
The organization is not required to give notice to the Commissioner if there is no real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure of personal information. The organization is not required to give notice to the individual unless so ordered by the Commissioner. |
If you would like to learn more about what your business can do to prepare for mandatory breach response in Canada, members of our privacy team can assist. If you would like to learn more about the potential impact of the GDPR on your business, members of our privacy team can assist, and where required can direct you to experienced European counsel.
Bibliography
General Data Protection Regulation, EU Reg 2016/679: http://data.europa.eu/eli/reg/2016/679/oj
Personal Information Protection Act Regulation, Alta Reg 366/2003: http://canlii.ca/t/83gh
Personal Information Protection Act, SA 2003, c P-6.5: http://canlii.ca/t/81qp
Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA] (in force): http://canlii.ca/t/7vwj
PIPEDA (pending amendments): http://laws.justice.gc.ca/eng/acts/P-8.6/nifnev.html
PIPEDA (pending regulations): http://laws.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.
Bennett Jones