Canadian Privacy Breach Notification Law in Force Now

Canadian Privacy Breach Notification Law in Force Now



It was in March this year that the Government of Canada had announced that amendments to the Personal Information Protection and Documents Act (PIPEDA) would come into effect. And now, that act has been applied in Canada and requires organizations to report any data breach clearly – even when it’s only one individual gets affected and sees significant privacy harm.


As things stand today, it’d be safe to say that managing privacy is the new normal just like paying taxes and securing data. Cybersecurity is on a continuous evolution, and a standard of privacy that is constant should not rage behind.

Therefore, for that reason, several new regulations have been introduced, and some got passed. For instance, GDPR, Colorado Protection for Consumer Data Privacy Law, California’s Consumer Privacy Act, and Vermont’s data Broker Law. Now in Canada, PIPEDA is in effect.


Just like other privacy laws, PIPEDA requires that organizations must have consent to either collect, use or even disclose personal information. This means that when using the data, these organizations must do so only for that purpose to which an individual has consented.

Also, individuals must have the ability to access the information they provide to make changes or for correcting mistakes. PIPEDA has got lighter penalties when compared to other privacy regulations.

The private-sector businesses operating within Canada or merely doing business with the Canadian customers are required by PIPEDA to report any security incident to the Privacy Commission of Canada (OPC) if the risk is significant to the consumers regardless of the breach’s size or the number of affected consumers.

Failure of a report to the OPC about a breach can cost an organization a fine of up to $100,000. Surprisingly, PIPEDA may not cover Canada entirely hence raising the question of its applicability in certain provinces like Alberta, British Columbia and Quebec with laws deemed similar to PIPEDA.

Subsequently, some think Canada is still behind other countries in adopting privacy laws and believe that the new privacy law, PIPEDA, isn’t enough. Better (stronger) privacy laws are needed in case organizations fail.

Still, PIPEDA will make the law stronger as compared to California’s law and somehow to place it in par with GDPR. Also, others believe that PIPEDA will provide some layer of security to the American privacy behaviors.

But How Many Canadians are Aware of the Privacy Efforts?

According to the Canadian Internet Registration Authority (CIRA), there is a significant disconnection between the businesses in Canada being aware of cybersecurity threats and possible actions of combating them. Precisely, 38% are unfamiliar with PIPEDA with 59% said to store consumer’s personal information. Furthermore, 40% have suffered in the hands of cyber-attacks.

For now, it remains to be seen how the new law will influence the privacy behavior with the trade partnerships between Canada and the United States. But one thing is for sure, privacy rights are getting realized worldwide (at least to show the users), and that’s a good thing.

Image courtesy of Qimono/Pixabay.

Leave a Reply

Your email address will not be published. Required fields are marked *