Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.

Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

By Dan Cooper and Rosie Klement

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson
Continue Reading CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law.  The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA.  This post summarizes key changes to PIPEDA brought about by the DPA.
Continue Reading Highlights of the Canada Digital Privacy Act 2015

By Lala Qadir

Canada’s telecommunications regulator, the Canadian Radio-Television and Telecommunications Commission (CRTC), issued its first fine under a new anti-spam law.  The CRTC alleged that Compu-Finder sent users emails without acquiring their consent and did not provide a way for consumers to unsubscribe from the emails.   Compu-Finder has 30 days to submit written representations to the CRTC or pay the penalty.  It can also request an “undertaking” with the CRTC on this matter.

Under Canada’s Anti-Spam Law (CASL), which came into effect on July 1, 2014, businesses are required to obtain explicit consent from users prior to sending them commercial electronic messages.  Prior to this law, companies relied on implied consent to assume that consumers consented to communications by providing them an email address.   Additionally, CASL prohibits making false or misleading representations in electronic communications and collecting personal information without consent.
Continue Reading Compu-Finder Subjected to $1.1M Penalty, First Fine Under Canada’s New Anti-Spam Law

By Lala Qadir

The Supreme Court of Canada recently issued a 4-3 decision that gave the police a green light in conducting warrantless searches of an arrestee’s cell phone as long as the search is directly related to the suspected crime and records are kept.  Over three dissenting judges that characterized mobile phones as “intensely personal and uniquely pervasive sphere of privacy,” the majority held a balance can be struck that “permits searches of cell phones incident to arrest, provided that the search—both what is searched and how it is searched—is strictly incidental to the arrest and that the police keep detailed notes of what has been searched and why.”

Canada’s high court ruling stands in stark contrast to that of the United States.  Earlier this year, the United States Supreme Court heard argument on two cell phone cases—Riley and Wurie—ultimately holding that warrantless searches of cell phones, even when held incident to an arrest, were unconstitutional unless they were subject to specific exceptions to the Fourth Amendment’s warrant requirement.
Continue Reading Canada’s Highest Court Rules That Police Can Search Cell Phone Contents After Arrest

Last week, the Office of the Privacy Commissioner in Canada (OPC) issued important guidance under Canada’s national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  The guidance highlights various scenarios in which PIPEDA applies based on judicial opinions and previous OPC interpretations.  In general, PIPEDA applies to the personal information that an

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s

After much mulling, the Canadian Parliament passed, on December 16, Bill C-28, the Fighting Internet and Wireless Spam Act, which creates a new regime for businesses engaged in online marketing.  The legislation regulates commercial “electronic messages,” a term defined broadly to include e-mail, instant messaging, text messages, and messages on “any similar account” —