Recent Developments in Canadian Privacy Law and the Digital Charter

• Published in: The Business Lawyer Vol. 75; no. 1; pp. 1647 - 1654
• Main Authors: Ahmad, Imran, Barbacki, Katherine
• Format: Journal Article Trade Publication Article
• Language: English
• Published: Chicago American Bar Association 22.12.2019
• Subjects: Canadians; Charters; Consent; Criminal investigations; Data integrity; Data security; Digital economy; Enforcement; Extremism; Identity theft; Laws, regulations and rules; Personal information; Privacy; Right of privacy; Survey—Cyberspace Law; Canada
• ISSN: 0007-6899; 2164-1838

[...]two of the major enforcement investigations undertaken by the OPC relate to the data breaches at Facebook and Equifax (Part V). II.Mandatory Breach Reporting and Record-keeping Since November 1, 2018, organizations subject to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA")2 have been required to report certain breaches of security safeguards to the OPC, notify affected individuals and third parties in some circumstances, and keep records of breaches for a minimum period of two years after they are discovered. The Breach of Security Safeguard Regulations ("BSSR")5 prescribe the specific information that the report to the OPC must include, namely: (1) a description of the circumstances and cause of the breach, (2) when the breach occurred, (3) a description of the personal information that is the subject of the breach, (4) the number of individuals affected by the breach, (5) a description of the steps that the organization has taken to mitigate the risk of harm to affected individuals and to notify affected individuals, and (6) the name and contact information of a person who can speak for the organization.6 An organization will also have to notify the individuals affected, by telephone, mail, email or any other form of communication that would be appropriate under the circumstances.7 This notification must include categories of information similar to what is reported to the OPC.8 Finally, the organization that has experienced the breach must maintain records of the event for a minimum period of twenty-four months following its discovery, and provide the OPC with access to, or a copy of, such records upon request.9 Interestingly, the requirement to maintain records of a breach applies regardless of whether the breach meets the RROSH threshold that triggers the notification requirements. Organizations transferring personal information to third parties or across borders are therefore required to employ contractual or other means to ensure a level of protection for personal information that is comparable to the protection afforded under PIPEDA.16 Prior to the April 2019 release of the OPC's Report of Findings following the Equifax investigation (as discussed in more detail below), the OPC's policy position on cross-border transfers of personal information had been that a transfer of personal information between organizations for the purpose of processing was a "use" rather than a "disclosure" and did not trigger further consent requirements.17 Following the Equifax decision, the OPC attempted to reverse this position and suggested that a cross-border transfer of personal information between organizations should be deemed a "disclosure" that triggers a requirement to obtain consent from the individuals concerned.18 The OPC announced in April 2019 a consultation on transfers for processing in an effort to revise its prior well established position.19 Shortly after the Digital Charter was announced, the OPC reframed its public consultation which came to a close in October 2019.