Order Fixing November 1, 2018 as the Day on which Certain Provisions of the Act Come into Force: SI/2018-32

Canada Gazette, Part II: Volume 152, Number 8

Registration

April 18, 2018

DIGITAL PRIVACY ACT

P.C. 2018-369 March 26, 2018

Order Fixing November 1, 2018 as the Day on which Certain Provisions of the Act Come into Force

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to section 27 of the Digital Privacy Act, Chapter 32 of the Statutes of Canada, 2015, fixes November 1, 2018, as the day on which sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of that Act come into force.

EXPLANATORY NOTE

(This note is not part of the Order.)

Proposal

Pursuant to section 27 of the Digital Privacy Act, the Order in Council fixes November 1, 2018, as the date of coming-into-force of Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Objective

The objective of the Order in Council is to implement Division 1.1 of PIPEDA, which provides for mandatory data breach reporting under the Act. The date of coming into force of these provisions is set at November 1, 2018, providing regulated organizations with a lag period of approximately six months of preparation time after publication of final regulations that provide specifics. The Breach of Security Safeguards Regulations will come into force at the same time, as per the accompanying regulatory proposal.

Background

PIPEDA is Canada’s privacy law for private sector organizations. The Act, which came into force in January 2001, sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of their commercial activities. The Office of the Privacy Commissioner (OPC) enforces PIPEDA by overseeing whether organizations are complying with the Act’s obligations.

The Minister of Innovation, Science and Economic Development (ISED) administers and is responsible for PIPEDA, as well as its subordinate legislation. Pursuant to paragraph 26(1)(c) of PIPEDA, the Governor in Council has the authority to make regulations for carrying the purposes and provisions of the Act.

Bill S-4, titled the Digital Privacy Act, received royal assent on June 18, 2015. The Digital Privacy Act amended PIPEDA to add mandatory breach reporting obligations under PIPEDA.

The amendments impose a new set of obligations onto organizations to inform individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the Act states that

• data breaches that pose a real risk of significant harm will need to be reported to the Privacy Commissioner, and affected individuals will need to be notified;
• an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
• records of all data breaches experienced by an organization will need to be maintained and provided to the Privacy Commissioner upon request;
• deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach; and
• deliberately failing to keep, or destroying data breach records will also be an offence, subject to a fine of up to $100,000.

Although Division 1.1 was given royal assent in June 2015, coming-into-force was postponed to allow for development and implementation of regulations that would outline specifics pertaining to how organizations should undertake their new obligations. Since that time ISED has conducted two consultations pertaining to development of the Regulations.

Implications

There are no financial implications to the Government associated with this Order.

Consultation

ISED received extensive stakeholder feedback during the passage of Bill S-4 through Parliament, and during the development of the Regulations. From March to June 2017, targeted stakeholder consultations were conducted to determine the scope of the Regulations, and from September to November 2017, a public consultation on the draft Regulations was conducted via the Canada Gazette, Part I.

Nearly all business representatives who commented on the time frame for implementation called for a lag period between the publication of the final Regulations and their coming-into-force. Proposed lag times ranged from 6 to 18 months. Business representatives stated they will need time to adjust their information systems, practices and procedures, and to train employees after the Regulations are final.

An opposing view submitted by a small number of stakeholders, including the Privacy Commissioner of Canada, is that a lag period is unnecessary given that organizations have been aware of the mandatory data breach and notification requirements since the amendments to PIPEDA were passed in 2015.

A coming into force date of November 1 provides regulated organizations with some preparation time, while still implementing mandatory breach reporting before the end of 2018.

Departmental contact