New Law Requires Businesses to Disclose Data Breaches

Canada’s Privacy Commissioner is gaining more power under a new federal law that will also require businesses to disclose any data breaches that affect customers.

“The Digital Privacy Act will protect the personal information of Canadians online,” Industry Minister James More said in a statement. “It will hold companies to account when Canadians’ personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law.”

The law, which went into effect on June 18, updates Canada’s Personal Information Protection and Electronic Documents Act, which applies to businesses in every province except British Columbia, Alberta, and Quebec.

Businesses in those provinces are also subject to PIPEDA if they operate in federally-regulated sectors or when personal information crosses provincial borders.

The law sets new requirements for obtaining consent to acquire a user’s personal information.

Businesses will now be required to “use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online,” according to a press release issued by Industry Canada.

This “‘sliding scale’ … could render existing consents null,” according to a newsletter published by law firm McCarthy Tétrault.

The law will also require businesses to notify customers if their personal data is lost or stolen and there is a “real risk of significant harm” to those customers.

That harm doesn’t just have to be financial – it also includes a risk of humiliation or “damage to relationships.”

Businesses that cover up a breach or “deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000,” Industry Canada says.

According to McCarthy Tétrault, “it is unclear at this time whether a “violation” will include a single incident. (e.g. a single failure to notify all individuals) or each incident (e.g. each failure to notify each individual).”

While most of the provisions of the law are in effect, this disclosure requirement won’t be going into effect until specific regulations are drafted.

It’s not clear when that will happen.

The law also gives the Office of the Privacy Commissioner the power to enter into “compliance agreements”  with businesses that it believes have broken the law or are about to.

“Such agreements may contain any terms the Commissioner deems necessary to ensure compliance, and the Commissioner may go to courts to ensure compliance with the agreement’s terms if needed,” lawyer Daniel P. Cooper wrote in the National Law Review.

The law will also allow the Privacy Commissioner’s office more latitude to disclose information contained in complaints.

The Privacy Commissioner says he welcomes the new changes.

“Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians,” Daniel Therrien, the Privacy Commissioner said in a release. “Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach.”

The law isn’t just a crackdown. It also modernizes some exemptions to the consent requirements, allowing businesses to disclose personal information related to some business transactions or investigations into breaches of Canadian law and agreements without the individuals consent.

Those changes may prove to be the most controversial.

“It would theoretically allow an Internet service provider to hand over customer name and address information without a court order in the event of an alleged copyright violation,” David Fraser, a lawyer with the Halifax-based law firm McInnes Cooper told IT World Canada.