In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations.  However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).

To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.  

As far as reporting, the notification to the Commissioner must describe the circumstances of the breach, the time period, the personal information accessed, the number of individuals compromised, steps taken to reduce harm to those individuals, steps taken to notify those individuals and an organization point of contact who can answer any follow-up questions regarding the breach. The notification to the individuals requires the affected organization to disclose similar information.  As far as the communication mechanism of the individual notification, the Regulations give affected organizations flexibility to use any form of communication that a reasonable person would consider appropriate, such as phone, email or advertisement.

Interestingly, rather than specifying a strict time frame for notification, the Regulations require such notification to be completed “as soon as feasible.” In providing this flexibility, the Cabinet recognized that it takes time for organizations to gather all necessary information.  Lastly, the Regulations establish a mandatory minimum of two years for the maintenance of all records related to the breach.

It is interesting to note that these Regulations bare some similarity to the European Union’s (“EU”) new General Data Protection Regulation (“GDPR”), which goes into effect on May 25, 2018. For example, similar to GDPR, the Regulations have harsh penalties. In particular, the Regulations impose fines up to $100,000 CAD for each affected individual of a breach, whereas a violation of the GDPR can carry with it a fine of up to four percent (4%) of annual global turnover or €20 Million, whichever is greater.  Overall, the Regulations demonstrate a clear message that Canada would like to align as much as possible with the GDPR to try to maintain Canada–EU trade relationships.