On September 21, 2017, in a press conference following the publication of his 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act, the Privacy Commissioner (the “Commissioner”) announced his plans to shift from a complaints-driven ombudsman enforcement model to one focused on proactive enforcement and compliance. This announcement comes on the heels of the Canadian government publishing proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information and Electronic Documents Act (“PIPEDA”), which will impose significant obligations on organizations collecting, using and disclosing personal identifiable information.
Greater Enforcement Action
The Office of the Privacy Commissioner (the “OPC”) received submissions from various stakeholders, held several roundtables across Canada and conducted direct consultations with Canadians through focus groups. The Commissioner found that Canadians fear losing control over their personal information in an increasingly digital age and that changes are needed to restore confidence in how private-sector organizations collect and use their information.
The Commissioner indicated that he would seek legislative amendments to PIPEDA so that he can obtain power to make to make orders and impose administrative monetary penalties. He argued that this would bring Canada in line with many of its provincial and international counterparts – such as the United States and Europe.
Interestingly, the Commissioner indicated that he would not wait for the legislative changes he is demanding and would immediately take steps to improve privacy protections for Canadians, including:
- Adopting a Proactive Enforcement and Compliance Model. Instead of relying on a complaints-based ombudsman model of privacy protection, this new approach will allow the OPC to identify privacy problems related to complex technologies and proactively address them through involuntary audit mechanisms.
- Updating Key Guidance for Online Consent. This will include identifying four key elements that must be highlighted in all privacy notices and must be explained in a user-friendly manner to Canadians.
- Developing New Guidance. This will entail specifying areas where collection, use and disclosure of personal information is strictly prohibited.
The Commissioner will be seeking additional financial resources from the federal government to carry out its proposed expanded mandate.
Mandatory Breach Notification Requirements Coming
In addition to the Commissioner’s proposed plans to expand the OPC’s enforcement mandate, he will be responsible for enforcing mandatory breach notification and record-keeping requirements, which are likely come into force in the first half of 2018.
In June 2015, the federal government passed Bill S-4 – The Digital Privacy Act (the “DPA”), which modified PIPEDA in several key ways. While most of the amendments came into force when the DPA was passed, provisions relating to mandatory breach notification and record-keeping did not. On September 2, 2017, after much delay, the federal government published proposed Breach of Security Safeguards Regulations (“Breach Regulations”) to bring those provisions into force. Once these regulations are finalized, they will impose significant new obligations on organizations should they become subject to a data breach.
Under PIPEDA’s mandatory reporting and notification regime, organizations that experience a data breach, defined as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards, must report the incident to the OPC and notify affected individuals where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual”. The term “significant harm” is defined in PIPEDA and includes, among other things, bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Reports to the OPC
The Breach Regulations prescribe specific information that must be included in an organization’s report to the OPC. The report must include the following items:
- a description of the circumstances and cause of the breach;
- the date or period of the breach;
- a description of the personal information that is the subject of the breach;
- an estimate of how many individuals are exposed to a “real risk of significant harm”;
- a description of what the organization has done to reduce or mitigate harm;
- a description of what the organization has or intends to do to notify each individual; and
- contact information of a person who can answer the Commissioner’s questions about the breach.
Notification to Affected Individuals
Notification to affected individuals must also be provided in a prescribed form, as detailed in the Breach Regulations. Requirements include:
- a description of the circumstances of the breach;
- the day on which, or the period during which, the breach occurred;
- a description of the personal information that is the subject of the breach;
- a description of the steps taken by the organization to reduce or mitigate the risk of harm to the affected individual resulting from the breach;
- a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
- information about the organization’s internal complaint process and about the affected individual’s right, under PIPEDA, to file a complaint with the Commissioner.
The Breach Regulations prescribe the manner in which direct or indirect notification is provided. Direct notification can be provided by email (so long as the affected individual has consented to receiving information in this manner), by letter delivered to the last known home address of the affected individual, by telephone, or in person. Indirect notification can be provided in circumstances where: giving direct notification would cause further harm to the affected individual; the cost of giving direct notice is prohibitive to the organization; or the organization does not have the affected individual’s up-to-date contact information. The Breach Regulations provide that indirect notification may be given through a conspicuous message posted to the organization’s website or by means of an advertisement that is likely to reach the affected individuals.
The Breach Regulations require organizations to maintain a record of every breach of security safeguard for a minimum of 24 months after the organization has determined that a breach has occurred. These records should be sufficiently detailed and include, among other things, the methodology undertaken and factors considered in determining whether a particular breach met the threshold of “real risk of significant harm.” These records will be used by the Commissioner as a means to verify compliance and inform further enforcement action, if required.
Looking at the Commissioner’s recent announcement, coupled with the forthcoming mandatory data breach and record-keeping requirements, it is clear that Canadian organizations can expect greater regulatory enforcement action by the OPC when it comes to privacy and data protection.
While a standard of perfection is not required, organizations must be able to demonstrate that they have taken reasonable steps to ensure compliance and implement best practices. In this regard, organizations should start reviewing their existing privacy and data protection protocols and policies and identify any material gaps or issues. This process will inform organizations on what steps need to be taken to ensure regulatory compliance and withstand scrutiny by the OPC.