The problem is that
the breach notification regime sketched out in Clause 11 of Bill C - 12 is designed in a manner that will impose on subjective organization decision - making so minimally as to be almost counterproductive.
Unfortunately, while Clause 14 of Bill C - 12 expands subsection 16 (a) to include remedies for elements of the data
breach notification regime, it does not do so for sections 16 (b)- (c).
While the OPC has recently signaled its intention to call for order making and fine imposing powers in general (presumably these would cover
the breach notification regime as well as existing PIPEDA obligations), there appears to be little Government will to update PIPEDA or improve privacy protections.
The idea of implementing
a breach notification regime is a good one, as 47 of the 52 U.S. states have found.
I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data
breach notification regime, which is coming into effect on November 1, 2018.
Not exact matches
Prescribing the content of
notifications to individuals and reports to the Commissioner will align the federal private sector
regime for mandatory
breach reporting with equivalent provincial legislation, and those of Canada's major trading partners.
Under PIPEDA's mandatory reporting and
notification regime, organizations that experience a data
breach must report the incident to the Office of the Privacy Commissioner of Canada and notify affected individuals.