Canada’s New Data Breach Law Creates Unique Obligations for Businesses

Privacy & Cybersecurity Update

Date: November 08, 2018

Key Notes:

  • On November 1, Canada adopted a new data breach response law.
  • Businesses with Canadian operations, employees or customers will be affected by the new requirements.
  • Data breach response plans will now have to include Canadian legal requirements.

While many businesses have been focused on compliance with the European Union’s new data privacy regulation, other jurisdictions have been equally busy expanding the reach and requirements of their own data protection laws. For example, Canada recently adopted a data breach response law that may subject businesses that collect and process Canadian citizens’ personal information to new requirements.

As with similar domestic and foreign data privacy laws, noncompliance with Canada’s law can be costly. An organization that knowingly violates its breach notification obligations may be fined up to $100,000 per violation and may be subject to other regulatory and judicial penalties by Canadian authorities. Consequently, businesses should review and update their existing data incident response plans to account for Canada’s requirements and maintain compliance with (yet another) data breach response law.


In June 2015, the Canadian government passed the Digital Privacy Act, which amended its principal consumer privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to include a mandatory data breach notification requirement. In April 2018, Canada released its Breach of Security Safeguards Regulations (Regulations), which clarify certain requirements for data breach notifications, including their content and method and form of delivery. More than three years after the passage of the Digital Privacy Act, Canada’s data breach law and regulations finally became effective on November 1, 2018.

Territorial Scope

PIPEDA regulates how private-sector organizations collect, use, process, disclose, retain and destroy Canadian citizens’ personal information in the course of their commercial activities. An organization may be exempt from PIPEDA if it is located in a province that has enacted similar privacy legislation (i.e., Quebec, British Columbia and Alberta). Although PIPEDA does not specifically define its territorial scope, the Federal Court of Canada has previously held that the law applies to organizations in other countries that have a “real and substantial link” with Canada. In other words, PIPEDA may apply to an organization that conducts business in Canada even if it is located or headquartered in a foreign country.

Personal Information Definition

PIPEDA defines “personal information” broadly to include any information “about an identifiable individual.” The Canadian courts have found that information is considered about an identifiable individual if there is a “serious possibility” that an individual could be identified through the use of that information, alone or in conjunction with other data. However, personal information does not include business contact information or personal information collected solely for journalistic, artistic or similar purposes.

Breach Reporting Guidelines

PIPEDA defines a “breach of security safeguards” to mean “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards … or from a failure to establish those safeguards.” An organization must report any such breach involving personal information under its control if it is reasonably believed that the breach creates a “real risk of significant harm” to the individual whose information has been compromised.

The law states that “significant harm” includes, but is not limited to: bodily harm; humiliation; reputation damage; loss of employment, business or professional opportunities; identity theft; financial loss; or damage to or loss of property. As part of this risk analysis, the law mandates that the organization consider the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused.

PIPEDA does not create any sort of numeric threshold on data breach reporting. Whether a data breach affects one person or 1,000, a report is required if the risk of harm criteria are satisfied. Separately, unlike other data breach response laws, PIPEDA does not address whether a data incident involving encrypted information is excluded from the notification requirement because its disclosure cannot, without other linking data, cause harm. Absent any future guidance to the contrary, businesses should consider encryption as part of its risk analysis.

Parties to Notify

If a data breach has occurred, PIPEDA requires an organization to notify both the individual whose personal information has been compromised and the Office of the Privacy Commissioner (OPC) of Canada. An organization is also required to notify any other entity (e.g., payment processors) or government institution (e.g., law enforcement) of the breach if this notification will mitigate or otherwise reduce the potential risk of harm.


A business is required to provide a data breach notification “as soon as feasible” after it determines a breach has occurred. During the Regulations’ drafting and consultation phase, some raised concerns that the proposed regulatory text did not account for the fact that data breach victims may not have all of the information required to submit a breach report to the OPC immediately following the incident. In response, the final Regulations provide that an organization may report specific categories of breach-related information to the extent possible at the time of reporting, and it may update and supplement this notification later when additional information is discovered.

Notice Content

PIPEDA identifies several categories of information that must be included in a data breach notification to the OPC:

  • A description of the breach’s circumstances and, if known, its cause
  • The day or time period when the breach occurred
  • A description of the personal information subject to the breach
  • A description of the organization’s risk mitigation measures
  • A point of contact
  • The number of individuals affected
  • A description of how the organization will notify affected individuals

The report must be in writing and may be sent to the OPC by any secure means of communication.

Notifications to individuals impacted by the breach must include, in addition to the first five categories identified above, a description of the remedial steps an individual can take to mitigate the potential risk of harm from the breach. An organization may provide these notifications directly to an affected individual in person or by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

An organization is not obliged to directly notify an individual of a breach if such communication would likely cause further harm to the individual or undue hardship for the organization, nor is it required to provide such notification if it does not have the individual’s contact information. However, if direct notification is not possible, the organization must notify affected individuals through public communication or a similar measure that could reasonably be expected to reach the affected parties (e.g., online advertisements or offline newspapers or other publications).


Pursuant to PIPEDA, an organization is required to maintain a record of every data breach for 24 months after the day on which it determines that the breach has occurred. This timeframe is intended to be a minimum requirement, and longer retention periods are permitted when appropriate. The purpose of data breach recordkeeping is to facilitate oversight and encourage better data security practices.


For more information, please contact:

Thomas F. Zych

Steven G. Stransky

Darcy M. Brosky

Craig A. Foster

Stephanie Schmalz*

*Stephanie Schmalz is a law clerk and is not admitted to practice in Ohio; her work is supervised by principals of the firm.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.