Cybersecurity, data protection and privacy are some of the most important legal risks for Canadian business in 2018.
Personal Information Security Breach Obligations
Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) will soon impose record-keeping, reporting and notification obligations on organizations that suffer a “breach of security safeguards” regarding personal information under their control. At this time, Alberta is the only Canadian jurisdiction that imposes personal information security breach reporting obligations on private sector organizations. PIPEDA’s security breach obligations, when in force, will require that an organization create and maintain a record of every personal information security breach, and provide those records to the Privacy Commissioner on request. In addition, if a personal information security breach creates a “real risk of significant harm to an individual”, then the organization will be required to: (1) report the breach to the Privacy Commissioner; (2) give prescribed notice of the breach to all affected individuals; and (3) give notice of the breach to other organizations or government institutions that might be able to reduce the risk of harm that could result from the breach or mitigate that harm. A knowing contravention of the security breach obligations will be an offence punishable by a fine of up to $100,000. The security breach obligations will come into force after required regulations are finalized. The federal government issued proposed regulations in September 2017. For more information, see BLG bulletin Preparing for Compliance with Canadian Personal Information Security Breach Obligations.
European Union General Data Protection Regulation
The European Union General Data Protection Regulation (the “GDPR”), which comes into force in May 2018, will apply to Canadian organizations that have an establishment in the European Union or that collect or process personal data of European Union residents in connection with an offering of goods or services or to monitor European Union residents’ behaviour. The GDPR gives regulators the ability to impose on a non-compliant organization fines of up to the higher of €20 million or 4% of worldwide annual revenue of the organization’s undertaking (corporate group) during the previous year. The GDPR is a significant evolution in personal information protection laws, and is materially different in important respects from Canadian laws. Compliance with Canadian laws will not satisfy GDPR requirements. Preparing for compliance with the GDPR may require significant effort, time and expense, and may involve changes to business models and corporate structures. For more information, see BLG bulletin The European Union General Data Protection Regulation – A Primer for Canadian Organizations.
Rethinking Privacy Consent and Enforcement
The Office of the Privacy Commissioner of Canada published in September 2017 a Report on Consent that provides detailed comments and guidance regarding meaningful consent in the digital environment, and recommends the federal government amend relevant parts of PIPEDA. The Report also recommends PIPEDA amendments to give the Privacy Commission order-making powers and the authority to impose administrative monetary penalties on organizations that violate PIPEDA. For more information, see BLG bulletin The OPC Publishes its Report on Consent.
For more information about other legal risks for business, see BLG’s Top 10 Legal Risks for Business in 2018.