It is time for organizations to think ahead and prepare for new requirements imposed under the Digital Privacy Act (formerly known as Bill S-4). The new requirements, which will result in significant amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), will come into force on November 1, 2018.

The new requirements impose mandatory reporting and notification for data breaches. Once in force, organizations subject to PIPEDA will be required to notify the Privacy Commissioner of Canada (the Commissioner) and affected individuals in the event of a data breach. Organizations must do so if the breach could reasonably create a risk of significant harm to an individual. Notification must be provided as soon as feasible once the breach has occurred, and must contain enough information for the individual to understand the significance of the breach. Failure to notify the Commissioner or affected individuals could result in fines of up to $100,000 or an indictable offence.

The effects of the mandatory reporting will not stop at Canadian borders, as PIPEDA applies to foreign organizations that collect, use, or disclose personal information in the course of commercial activities and have a "real and substantial connection" to Canada. As such, those Canadian and foreign organizations subject to PIPEDA must ensure they have systems in place to meet the upcoming requirements.

An acquirer should be aware of and prepared for these changes to privacy legislation. Specifically, during its due diligence process, where PIPEDA is applicable, acquirers should ensure:

  • Targets are meeting new record-keeping requirements; and
  • The target has reporting systems and policies in place to ensure proper notifications are provided in the event of a breach.

In addition, those due diligence considerations discussed in a previous post on the subject of the European Union's implementation of the General Data Protection Regulation (GDPR) are equally relevant and applicable in this case.

With just under four short months before the implementation of the new reporting and notification requirements, it is time for organizations to take a step back and ensure they have appropriate measures in place, and are prepared for November 1.

The author would like to thank Manon Landry, summer student, for her assistance in preparing this legal update.


About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.