The Government of Canada has announced that its proposed
data breach notification requirements pursuant to the Digital Privacy Act (the «Act») will take effect on November 1, 2018.
While it is not clear whether this precipitated the implementation of the Act's
data breach notification requirements, it certainly means that any businesses operating in Canada should take immediate action to prepare for the changes.
In addition, PIPEDA has no mandatory
data breach notification requirements which would inform the commissioner's office when a breach occurred so that it could investigate and address data protection issues.
PIPEDA even lags behind the laws of those few provinces that have their own private sector data protection statutes: Commissioners in Quebec, B.C. and Alberta have order making powers, and Alberta also has mandatory
data breach notification requirements.
PIAC argued that the current voluntary
data breach notification requirements are not serving the public interest because companies are allowed to decide whether the scope of a data breach warrants notifying the public — an argument PIAC has been making since 2003.
However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting
these data breach notification requirements.
For further about
data breach notification requirements of the My Health Records Act see OAIC's Guide to mandatory data breach notification in the My Health Record system.
Even though PIPEDA does not have mandatory
data breach notification requirements yet, the privacy commissioner has always encouraged notification if the breach is significant and companies want to get ahead of the story by notifying relevant regulators before an individual makes a complaint or the media breaks the story — if only to better shape the narrative.
However, the private sector B.C. Personal Information Protection Act does not have mandatory
data breach notification requirements.
Mårtin Mickos, CEO of HackerOne, a bug bounty startup, urged legislators to revise laws used to prosecute hackers and to standardize
data breach notification requirements at the federal level.
Facebook didn't alert users that Cambridge Analytica was in possession of wrongfully obtained data, even though it knew about it for years, and although the company says it's going to alert everyone effected, without a federal
data breach notification requirement, there's nothing preventing the company from deciding to keep users in the dark again.
Not exact matches
Depending on what the
breach is, an investigation will likely need to be performed to determine what
data may have been taken and whether that triggers any
notification requirements.
The new rules will introduce mandatory
data breach notification for all, joint and several liability for suppliers (
data processors); tougher restrictions on the use of profiling and the collection and use of children's
data; enhanced rights for individuals; and a
requirement for most organisations to appoint a
data protection officer.
In addition to the
notification requirements under privacy legislation, the organization could also have a broader legal duty under negligence law to notify an individual whose
data has been
breached if that
breach could harm, or could materially increase the risk of harm to, that individual.
The Digital Privacy Act amends the federal Personal Information and Protection of Electronic Documents Act (PIPEDA) to mandate a
data breach response that includes reporting,
notification and record - keeping
requirements.
Accountability,
Data Security,
Data Impact Assessments and
Breach Notification Requirements (10/13/2016)
It warns that
data breaches are likely to become more costly, with the proposed new European Data Protection Regulation «expected to bring mandatory breach notification requirements&raq
data breaches are likely to become more costly, with the proposed new European
Data Protection Regulation «expected to bring mandatory breach notification requirements&raq
Data Protection Regulation «expected to bring mandatory
breach notification requirements».
To the extent that the proposed Regulations can align
data breach reporting under PIPEDA with
requirements in other jurisdictions, this would reduce the burden of
notification for many organizations in Canada.
The GDPR will implement more stringent operational
requirements for processors and controllers of personal
data, including, for example, requiring enhanced disclosures to
data subjects about how personal
data is processed, limiting retention periods of personal
data, requiring mandatory
data breach notification, and requiring additional policies and procedures to comply with the accountability principle under the GDPR.
The regulation includes mandatory
notification of any
data breaches within 72 hours, and a
requirement that sites get explicit consent from users in order to collect
data.
In Europe, such concerns prompted the passing of the General
Data Protection Regulation (GDPR) which will be enforced in May 2018 and that enacts legal
requirements for privacy,
breach notifications, and more.
Among his proposals included «The Personal
Data Notification & Protection Act» which clarifies and strengthens the obligations businesses have to notify customers when their personal information has been exposed including establishing a 30 - day notification requirement from the discovery of a breach President Obama also highlighted the actions of Bank of America and JPMorganChase, who have joined a growing list of firms making credit scores available for free to their consumer car
Notification & Protection Act» which clarifies and strengthens the obligations businesses have to notify customers when their personal information has been exposed including establishing a 30 - day
notification requirement from the discovery of a breach President Obama also highlighted the actions of Bank of America and JPMorganChase, who have joined a growing list of firms making credit scores available for free to their consumer car
notification requirement from the discovery of a
breach President Obama also highlighted the actions of Bank of America and JPMorganChase, who have joined a growing list of firms making credit scores available for free to their consumer card customers.