Tag Archives: Canada

New Data Breach Reporting Requirements in Canada

The Office of the Privacy Commissioner of Canada (OPC) recently released official guidance for reporting data breaches pursuant to Canada’s new data breach reporting law. A change in Canada’s law, effective November 1st, requires companies subject to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report data breaches in certain instances and keep records of all breaches. The guidance relates to how to determine what breaches must be reported to the OPC, and what kind of notice you need to give individuals. The guidance also relates to the obligation to keep records of breaches and what information needs to be included.

Qualifying a Reportable Breach

A “breach of security safeguards” refers to the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of a company’s security safeguards or a failure to establish security safeguards. Continue reading New Data Breach Reporting Requirements in Canada

Air Canada – The Latest Company Compromised by Data Breach

Air Canada, the largest airline of Canada by fleet size and passengers carried, has reported a massive data breach of its app, putting thousands of passenger passport details, among other personal information, at risk.

Air Canada’s Response

The airline issued a warning to mobile app users that their personal data may have been compromised in a cyberattack. This may placs those who entered their details at risk of identity theft. It is believed approximately 20,000 customers may have had their data stolen. All Air Canada app users have been asked to change their passwords.

Profile data, such as names, email addresses, passport numbers, genders and dates of birth, among others, can all be stored in the airline’s app – making this stored data a potential target in the attack. Continue reading Air Canada – The Latest Company Compromised by Data Breach

Canada’s Mandatory Breach Notification Takes Effect November 1

The Canadian government recently published a cabinet order laying out federal data breach reporting regulations through the Personal Information Protection and Electronic Documents Act (PIPEDA) and amendments. Similar to other breach notification requirements, these new regulations mandate that organizations that experience a “breach of security safeguards” notify all affected individuals, as well as the Privacy Commissioner and any other related organizations and governmental institutions. The order also includes fines of up to $100,000 (CAD) for noncompliance. These regulations will go into effect starting on November 1, 2018.

Continue reading Canada’s Mandatory Breach Notification Takes Effect November 1

Canada Anti-Spam Law Private Right of Action Suspended

The highly anticipated date of July 1st was supposed to bring private right of action to Canada’s anti-spam legislation. We reported on the topic here.

However, the Government of Canada has chosen to suspend the provision after getting a wave of backlash from businesses. In a statement last week, the Government of Canada announced that even though,

Canadians deserve an effective law that protects them from spam and other electronic threats,” Canadian organizations should not have to bear this burden of unnecessary red tape and costs associated with compliance.

The Canadian Government indicated that it supports a “balanced approach that protects the interests of consumers while eliminating any unintended consequences for organizations” and will ask a parliamentary committee to review CASL.

This seems like a good move for both sides. Businesses, for the time being, won’t have to worry about multi-million dollar lawsuits on top of the onerous provisions of CASL. And the legislation will have a chance for review and improvement.

Although the private right of action is no longer impending, Canadian organizations are still at risk of incurring administrative penalties if they do not comply with CASL (maximum of $1,000,000 for individuals and $10,000,000 for businesses). A healthy compliance program will avoid exposure to penalties.

For any other questions related to the regulations under CASL, send those to our team at cyberteam@eplaceinc.com.

Canada Anti-Spam Law Gets Private Right of Action

Class action lawyers are chomping at the bit with regards to Canada’s anti-spam legislation.

A private right of action comes into force July 1 for the Canadian law. Not only will companies need to worry about government regulators, but now potential class action lawsuits.

CASL regulates all commercial electronic messages sent to Canadian citizens. The largest threat from this type of private right of action would be class action lawsuits. Corporate conduct being regulated does not involve one off communications with customers, but rather email blasts, mass software updates, etc.

Government regulators have had authority to enforce requirements of CASL. They settled a few cases in the past couple years for inadequate consent and issues with the unsubscribe feature including:

  • June 2015: Porter Airlines – $150,000
  • November 2015: Rogers Media – $200,000
  • August 2016: Kellogg Canada – $60,000

However, the government tends to allocate its resources towards more egregious or unique violations when enforcing the law. Private plaintiffs are more plentiful and profit-driven.

As we know, class action lawsuits can pay a few bucks for the class members, and pay big for lawyers. Expect to see some sharks in the water come summertime.

Five Important Changes to Canada’s PIPEDA

The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.

It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.

1. Data breach notification requirements

PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.

2. Sharing personal information during business transactions

Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.

3. Notice required for using employee information

Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.

4. Sharing personal information during investigations

Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.

5. OPC enforcement actions include compliance agreements

The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.

Canada Joins APEC Cross-Border Privacy Rules System

The Asia-Pacific Economic Cooperation (APEC) announced (press release) that Canada has become the latest addition to the APEC Cross-Border Privacy Rules (CBPR) System, joining the U.S., Mexico, and Japan. The CBPR system works to increase the protection of consumer data as it is transmitted across borders throughout the Asia-Pacific region.

The CBPR system requires organizations in participating APEC member countries to develop their own internal rules on cross-border data privacy procedures, complying with the minimum requirements set forth in the APEC Privacy Framework.