Canadian Privacy Policy Addendum Could Ripple Through US Companies

Published On May 09, 2018

Data protection rules may be about to get a lot more interesting north of the border.

The Canadian privacy policy addendum that is currently under consideration would update the Personal Information Protection and Electronic Documents Act (PIPEDA), which stipulates the rules that most Canadian organizations must follow to safeguard people’s privacy. The proposed amendments are intended to modernize the regulation, which was last updated in 2015, and bring it closer in line with the General Data Protection Regulation, which is set to take effect in Europe in late May. While GDPR applies specifically to the European Union, it also requires that personal data moved out of Europe must be subject to the same protections.

Canada’s proposed amendments will have the greatest impact on information security operations. PIPEDA currently requires organizations that have experienced a data breach to conduct a risk assessment covering potential misuse of the information compromised, notify both affected individuals and organizations that can mitigate harm, and maintain records of the breach for government review.

Under the proposed amendments, organizations would also have to describe the circumstances, timing and duration of the breach. They will have to prepare a detailed description of the personal information exposed and provide an estimate of how many people face risk of harm, steps being taken to notify those individuals, measures being taken to reduce risk, and contact information for questions from the government’s Privacy Commissioner. The Canadian privacy policy addendum also expands the details organizations must provide to people whose information was exposed — organizations will also have to specify how the government can contact those people. Finally, the proposal would require firms to maintain a record of every breach for at least 24 months. Reuters has an overview of the proposed changes here.

While PIPEDA applies solely to Canada, many U.S. companies may also be affected. The law states that foreign businesses that collect, use or disclose private information during a commercial activity with a “real and substantial connection” to Canada are covered. That means that a company with clients in Canada, or one that holds the personal information of its clients’ customers, is probably on the hook. Organizations should consult their legal counsel to be sure.

For chief information security offers and records and information management professionals, the Canadian privacy policy addendum would raise the bar on the types of information they collect and the steps they take to respond to a data breach. In the U.S., those rules are specified on a state-by-state basis, making reporting a complex and expensive process. With the EU adopting and Canada considering similar guidelines, U.S. organizations may want to revise their own reporting and record-keeping practices to comply with the higher standards in those jurisdictions with the justification that doing so would automatically bring them into compliance with the 52 different domestic reporting statutes.

One thing seems certain: Privacy regulations are only likely to get stronger. Australia just enacted similar rules and New Zealand is next in line.