We’ve blogged previously about the patchwork of state data privacy laws, and the challenges it poses for multinational businesses. Now, U.S. companies need to beware of our neighbor to the north as well: Canada has enacted a new breach notification regulation that may have implications well beyond its geographical borders.
The new Breach of Security Safeguards Regulations to the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on November 1, 2018 and requires organizations to report a data breach—even if only one person is affected—if it creates a “real risk of significant harm.”
The Regulatory Impact Analysis Statement accompanying the new regulation explains that it is intended to bring Canada’s privacy laws closer in line with the European Union’s General Data Protection Regulation or GDPR, which has been in effect for almost 150 days.
But the new law raises a far more difficult question for international organizations; that is, just how far beyond Canada’s borders does the new law reach?
No matter where located, companies with a connection to Canada—even remote—will need to keep an eye on the law’s requirements. Canadian courts have already held that the Canadian Privacy Commissioner, the country’s top privacy official, can investigate violations of PIPEDA by non-Canadian businesses if the organization has a real and substantial link with the country. In Lawson v. Accusearch Inc., 4 F.C.R. 3 (Fed. Ct. 2007), for example, a Wyoming-based corporation performed a background check on a Canadian individual, such that “much of the data had to have come from Canada.” The Commissioner has also investigated the activities of a Romanian business that republished Canadian court decisions involving Canadian individuals and was found to have violated provisions of PIPEDA; an international airline headquartered in Amsterdam that offered flights within Canada to Canadians, and was directed to update its privacy policy to comply with the Act after failing to timely respond to a consumer’s request for a copy of his personal information; and a New Zealand-based company that allegedly copied Canadian Facebook users’ information without their consent. In the latter case, the Commissioner found a “real and substantial connection” with Canada based on the fact that the website had information for millions of Canadian users, allowed searches to be limited to Canadians, and delivered Canadian-based advertising. It brushed aside any tension with the New Zealand-based privacy authorities, which had already completed an investigation, noting that it was “looking at the matter through the application of Canadian privacy law, which, while similar, is different from New Zealand law.”
In short, U.S.-based and multi-national organizations that deal with the personal data of Canadians should carefully assess if they are subject to Canadian data privacy laws. If a data breach potentially affects the personal data of Canadians, companies should consider whether a notification under the Canadian Breach of Security Safeguards Regulation is required.
Such notices are generally required to be sent to the Privacy Commissioner of Canada and affected individuals, at minimum. The Canadian law does not set a specific time frame to report a breach.
Similar to the GDPR regime, the cost of noncompliance with the Canadian law is steep. If a business knowingly withholds information about a breach or fails to keep the required records, fines can reach C$100,000 per day.
Interestingly, the Canadian legislature recognized the problem created by patchwork regulation within its own borders, and exempted organizations and activities that take place wholly within the Canadian provinces of Quebec, British Columbia and Alberta, which all have laws that were deemed similar to PIPEDA. But there is no such carve-out for companies that are already regulated by a U.S. privacy law, such as California’s new Consumer Privacy Act of 2018.