Mandatory data breach notification law proposed in Canada
Nestor E. Arellano reports:
With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member’s bill that that would make it mandatory for organizations to report data breach incidents.
Bill C-475, Borg’s proposed amendment to the federal Personal Information Protection and Electronics Document Act (PIPEDA), echoes what Canadian consumer and privacy advocacy groups have been clamoring for – more teeth to the existing privacy legislation that only requires voluntary reporting of breaches.
Read more on IT World Canada.
You can read the text of the bill here. The language of the proposed bill is generally stronger than what we have seen proposed here in Congress:
10.01 (1) For the purposes of this section and section 10.02, “harm” includes bodily harm, humiliation, embarrassment, injury to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, identity fraud, negative effects on credit rating and damage to or loss of property.
(2) An organization having personal information under its control shall notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.
It also contains a provision that the entity can be ordered to stop collecting personal information:
12.11 Upon completion of an investigation of a complaint, the Commissioner may order the organization that is the object of the complaint to take the necessary actions to comply with this Act, which may include
(a) correcting its practices in order to comply with sections 5 to 10, including by
(i) fulfilling any obligation under the Act,
(ii) destroying data,
(iii) ceasing to collect, use or disclose personal information, and
(iv) deleting or adding a record; and
(b) publishing a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a).
Michael Geist comments on it:
Bill C-475 is a far better proposal with amendments to PIPEDA with more clear cut security breach disclosure requirements along with order making power that is backed by significant penalties for compliance failures. Those provisions would do far to ensure greater respect for Canadian privacy law and give Canadians the assurance of notifications in the event of security breaches. What the bill does not do, however, is address the other side of the privacy coin, namely the failure of government to hold itself accountable for the personal information it collects and now regularly seems to fail to safeguard.