It could have been worse – Canada’s Breach Regulations

On September 2, 2017, the Ministry of Innovation, Science and Economic Development Canada (ISED) published draft Breach of Security Safeguard Regulations. These Regulations fill in some missing elements of Canada’s federal data breach law that was enacted as part of the Digital Privacy Act amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

For the most part, ISED came through with manageable requirements for organizations. Here’s my take on the good stuff:

  • The Regulations track the Alberta requirements. For the most part ISED has followed the Alberta requirements for the content of the regulatory reports and for individual notifications.
  • Organizations don’t need to speculate in writing about the “risk of harm” to individuals. The Alberta law that requires organizations to report to the Alberta Office of the Information and Privacy Commissioner (OIPC) whenever a “reasonable person” would consider there to be a “real risk of significant harm” from the loss of or unauthorized access to personal information. The OIPC then decides whether the organization must notify individuals by second guessing the organization’s real risk of significant harm analysis. This is a quirky feature of the Alberta law. Thankfully, that same quirk wasn’t carried over into PIPEDA. Perhaps as a result, the federal Regulations do not require organizations to engage in this speculative analysis in their reports to the OPC. Yay!
  • The Regulations contain some consumer-friendly enhancements to the individual notification requirements. Organizations must include a toll-free number or email address to ask questions about the incident. In addition, organizations must tell individuals about the organization’s internal complaints process and the right of affected individuals to complain to the OPC.
  • The Regulations provide for flexibility in terms of how organizations may notify affected individuals – email or other secure electronic methods (provided the individual has consented) or traditional means such as by a letter to the last known address, by phone or in person are all permitted. The Regulations also provide that indirect notification through posting on the organization’s website (conspicuously) for 90 days or more or by publishing advertisements that are likely to come to the attention of the individual are acceptable in some circumstances. Those circumstances include where the cost of direct notification would be prohibitive,  the organization doesn’t have current contact information, or direct notification could cause harm to the individual.
  • The record-keeping requirements are much less onerous than feared. Organizations are required to keep a record of every loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards. On its plain reading, this does not mean a record of every suspected or possible loss or unauthorized access or unauthorized disclosure. In terms of the content of the records, ISED has left that to the organization to decide provided that the records contain sufficient information for the OPC to assess whether the organization is meeting its obligations under the data breach provisions of PIPEDA. Records must be kept only for 2 years.

There is one area of major disappointment. ISED had an opportunity to short-circuit the long-running feud between the Canadian Commissioners who see the ghost of significant harm everywhere and organizations trying to apply the test of “real risk of significant harm” in a sensible way. The ISED could have decided, for example, that the unauthorized access to properly encrypted data did not create a real risk of significant harm. Frankly, the loss of a credit card number that has been reported to the card issuers hardly constitutes a risk of harm (once reported). Alas, the feud will continue unless the Commissioners take a more realistic approach.

The draft Regulations are subject to change, so check the final version! Read the draft here. There is a 30 day comment period. After that, ISED can either publish amended regulations or register the final version and specify a date on which they will come into force.

Advertising to Children, Invite-a-Friend, and the State of Consent – Friday Files

Looking for some weekend reading to catch up on developments? Here are three noteworthy developments and blog posts to consider.

  • Marketing to Children? The U.S. Federal Trade Commission has released a welcome guide to complying with the U.S. Children’s Online Privacy Protection Act (COPPA). In Canada, the Office of the Privacy Commissioner has set a high threshold for consent when collecting and using personal information of children under 13 years of age. Although the OPC has not issued similar detailed guidance, marketers will find the FTC’s guidelines to be useful in planning a Canadian strategy as well. These guidelines will not help marketers address Quebec’s unique rules that generally prohibit marketing to children under 13. Find the FTC COPPA Guidance here.
  • Invite-a-Friend Campaigns? Law 360 reports on the outcome of the Poshmark litigation in which the plaintiffs alleged violations of the Telephone Consumer Protection Act (TCPA). The issue was whether the Poshmark App’s “Find People” feature violated the TCPA as an unsolicited invitational text message. When a user of the app used this function, a text message would be sent on behalf of the user to all contacts in the individual’s address book. Poshmark was successful in dismissing the case on the basis that it was not the initiator of the message. Marketers seeking to use this strategy in Canada should exercise caution. Canada’s Anti-Spam Legislation operates differently and might not result in the same outcome without additional steps and due diligence. Read the Law 360 report here.
  • What do Canadians think of Consent? The Office of the Privacy Commissioner of Canada is engaged in a broad consultation on the state of “consent” as a means for individuals to exercise control over their personal information. The news hasn’t been good. Canadians want to be asked for consent but don’t feel they have the information and tools to provide meaningful consent. The OPC commissioned a focus group to gather qualitative information from Canadians on their perceptions. The report prepared for the OPC can be found on the OPC’s website here.

PIPEDA Guide – Suggestions welcome

I’m in the midst of drafting the new edition of the Guide to the Personal Information Protection and Electronic Documents Act (LexisNexis). If you currently use the Guide, I would appreciate your advice on things you’d like to see expanded, shortened, or clarified. Is there anything missing that you would like me to discuss? How important is it to you that I compare PIPEDA to European and U.S. regulations? Now’s the time! If you don’t have a copy of the Guide, you can check it out here and let me know what would make it more useful to you.