Ottawa’s new privacy rules give businesses flexibility on data breach reporting

Ottawa has rolled out the long-awaited requirements in a notice in the Canada Gazette that indicates the government wanted to protect consumers without overburdening private-sector organizations with excessive costs or complexity.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.”

The newly published regulations also give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement.

Companies that had been hacked had previously been alerting the public on their own timeline, although those under federal jurisdiction have been notifying the Office of the Privacy Commissioner and some provinces have other requirements.

There was mixed reaction Thursday to the new regulations for the Personal Information Protection and Electronic Documents Act, part of an update that was passed into law in 2015.

Class action lawyer Jean-Marc Leclerc said “it’s a good thing in a general sense that finally a statute in Canada requires a privacy breach to be notified” even though it provides too much “wiggle room” to organizations with breaches.

He’s a partner at Sotos LLP, a Toronto-based firm that’s launched a class action case against Equifax Canada shortly after American credit-monitoring service Equifax Inc. revealed a breach affecting an estimated 143 million people in the United States.

“The point is, there was no legislation in force that required Equifax to disclose what, at that point, looked like extremely sensitive financial information belonging to potentially millions of Canadians who were in Equifax’s databases.”

But he said disclosure of a breach could damage the organization’s reputation and open it to class action suits that would usually be far more expensive than a fine of $100,000 per violation of the breach notification regulations.

“Faced with those consequences, and the possibility of a $100,000 fine, I know what some companies would choose,” Leclerc said in a interview.

However privacy lawyer Imran Ahmad, a partner at Miller Thomson, said he thinks the $100,000 fine does provide “some teeth” and the requirement to do a risk analysis and keep records of all breaches for two years can be “onerous.”

“It’s a record that can be used against you,” Ahmad said.

Former Ontario privacy commissioner Ann Cavoukian, who now heads a privacy centre of excellence at Ryerson University, said that the wording in the new federal regulations is far too loose to sufficiently protect consumers.

She added that the whole point of notifying the privacy commissioner of all breaches — without the condition that they are a “real risk” of “significant” harm — was to ensure that individuals know that a breach of their security had happened.

“This lets everybody off the hook,” Cavoukian said.

Recent news reports have revealed that the Uber ride-hailing company tried to cover up a breach more for than a year by paying off hackers.

Prior to that, it took Yahoo! years to disclose the full extent of a 2013 breach. It originally announced one billion people were affected but announced last year, after the Equifax revelation, that about three billion people were affected.

In 2010, the province of Alberta became the first Canadian jurisdiction to require private-sector organizations disclose breaches when “a real risk of significant harm” exists.

Uber only began to alert Canadians who had been compromised in its data breach after Alberta’s privacy commissioner ruled it must notify impacted drivers and riders in the province.

The new federal regulations provide more clarity about PIPEDA, which was amended in 2015 to provide for fines of up to $100,000 per violation once the regulations come into force.

After consultations last year, the new regulations will require organizations to keep records of security breaches for at least two years after discovery, not five years as the privacy commissioner recommended.

The Gazette notice posted on Wednesday says that five years was considered “overly burdensome” for regulated organizations given that record-keeping requirements cover all breaches, regardless of the risk they pose.

Similarly, the PIPEDA revision rejects the privacy commissioner’s request for mandatory reports on how an organization conducted its assessment of the risk of harm posed by a breach — saying it exceeded Parliament’s intention.

— David Paddon