Canadian Privacy Breach Notification Rules in Force on November 1, 2018

On March 26, 2018, the Government of Canada quietly announced that, on November 1, 2018, important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force. Among other things, the changes will require domestic and foreign organizations subject to PIPEDA to: (a) notify individuals about privacy breaches; (b) report privacy breaches to the Office of the Privacy Commissioner of Canada and others in certain circumstances; and (c) keep certain records of privacy breaches.

The provisions that will be coming into force are a combination of statutory provisions in PIPEDA and a set of regulations which address matters such as the content of notices and breach record keeping. A draft of the regulations was published in fall of 2017. The final version of regulations are expected to be released in April 2018. As we have written about previously in New Rules for Mandatory Privacy Breach Notification in Canada, the new rules will have sweeping compliance, legal risk and related impacts for organizations that process information about Canadians.

Prior to November 1, 2018, all domestic and foreign organizations subject to PIPEDA will need to take steps to ensure that they have assessed and addressed how they will comply with the new rules and regulations.