Proposed PIPEDA regulations will raise corporate obligations

An impact analysis statement on breach of security safeguards outlines proposed new regulations and the impact they will have on Canadian businesses and consumers.

Proposed PIPEDA regulations will raise corporate obligations
A concern for businesses may be the record-keeping obligations imposed by the proposed regulations, says lawyer Kirsten Thompson of McCarthy Tétrault LLP.

An impact analysis statement on breach of security safeguards outlines proposed new regulations and the impact they will have on Canadian businesses and consumers.

Released Sept. 2, the proposed regulations relate to provisions in Canada’s Personal Information Protection and Electronic Documents Act, which are not yet in force.

The statement from Innovation, Science and Economic Development Canada, doesn’t give a timeline for when the new regulations will come into effect. However, Charles Taillefer, director of the privacy and data protection directorate, told Legal Feeds that initial consultations that were conducted indicated a six- to 18-month “transition period.” Representations on the proposed regulations may be submitted up to Oct. 2, 2017.

Lawyers working in the area of cybersecurity, privacy and data management have anticipated the proposed regulations.

“There’s no marked departure from global standards,” says Kirsten Thompson, a partner in McCarthy Tétrault LLP’S national technology group in Toronto, adding that a similar regime already exists in Alberta.

Under PIPEDA, organizations will be required to notify affected individuals of any “real risk of significant harm” to them resulting from a breach of security of their personal information. Organizations must also report to the Office of the Privacy Commissioner of Canada as soon as possible regarding any data breach which poses such a breach. 

The privacy legislation creates an obligation to safeguard information with measures appropriate to the sensitivity of the information. The regulations are flexible enough that each company can decide what its own solutions are, Thompson says; yet having a principle-based system means there are grey areas: “there’s flexibility, but not certainty.”

Tamara Hunter, who practises in the areas of freedom of information and privacy law with DLA Piper (Canada) LLP in Vancouver, says two aspects of the proposed regulations caught her attention. The first was that indirect notification to individuals may be given in circumstances including when the cost of giving direct notification is prohibitive for the organization.

“From the point of view of small- to medium-sized businesses, that would be appropriate,” says Hunter, adding that some consumer groups may lobby to have that removed from the regulations.

The second item is where the company does give notification to affected individuals, the proposed regulations say that the company has to tell individuals they can make a complaint to the privacy commissioner.

“The regulations in Alberta only require businesses to give contact information for someone at the organization, to answer questions. They don’t say, you can make a complaint to the commissioner,” Hunter says. “I’m not sure that’s necessary.”

One concern for businesses may be the record-keeping obligations imposed by the proposed regulations, says Thompson, which require records of breaches to be kept for 24 months after the day on which the organization determines the breach has occurred, and notes that a report made to the Office of the Privacy Commissioner may be used by the organization as its “record of the breach.”

“If you’re a company or business, you don’t want to satisfy the record-keeping obligation only to find out that it may be used [against you] in court at some point,” Thompson says.

There is also the potential for delays in individuals being notified of breaches to their security, she adds. In Alberta, organizations must notify the privacy commissioner first of a breach of personal information, and the individual then makes a determination of risk of individual harm, and can then order a company to notify individuals. As time passes, the ability of affected individual to take prompt action to protect themselves is compromised by that regime, she says, and there’s a concern that the federal commissioner may get similarly bogged down.

The positive effects may outweigh any negatives, though. “Organizations will have to become more transparent about breaches of information security when they happen,” says Hunter, and “consumers will be made more aware.

“What follows from [these regulations] is that organizations now have an obligation to prevent these breaches from happening in the first place,” Hunter adds. “That’s largely a function of senior management commitment to information security, and making sure they have the right mechanisms in place, technologically and operationally, so they’re doing spot checks and audits to make sure people are following the policies they should be following, and creating a culture of privacy and information protection within the organization.”

Recent articles & video

Bennett Jones appears in seven commercial list cases this past week

SCC hearings tackle Charter rights to vote and to trial within reasonable time

SCC confirms manslaughter convictions in case about proper jury instructions on causation

Law firm associate attrition continues to decline, NALP Foundation study shows

How systemizing law firm work allocation enhances diversity efforts and overcomes affinity bias

Dentons advises Saturn on $600 million acquisition of Saskatchewan oil assets

Most Read Articles

BC Supreme Court rules for equal asset division in Port Alberni property dispute

BC Supreme Court rules vehicle owner and driver liable for 2011 Chilliwack collision

Ontario Court of Appeal upholds anesthesiologist’s liability in severe birth complications case

BC Supreme Court upholds solicitor-client privilege in medical negligence case