Staying flexible: Data breach reporting obligations must balance privacy and commerce

  • June 27, 2016

The federal government is in the process of developing regulations to govern the data breach requirements of the Digital Privacy Act passed a year ago. The amendments to the Personal Information Protection and Electronic Documents Act require private-sector organizations to inform Canadians whose electronic information has been lost or stolen, and to inform the Privacy Commissioner of Canada about any harmful data breaches.

Before those amendments can take effect, the government needs to draft regulations to govern them. To that end, it invited comments on a discussion paper earlier this year. The CBA’s Privacy and Access Law Section sent its submission to the consultations ahead of the May 31 deadline.

In general, the Section supports the development of data breach notifications and reporting regulations, but cautions the government against making the regulations overly prescriptive. “Our comments are guided by our understanding of the overarching principle of balancing individual privacy rights and facilitation of commerce,” Section Chair Laura Davison wrote to the Innovation, Science and Economic Development Canada group conducting the consultations.

“In particular, we recommend a flexible, non-prescriptive approach to drafting regulations, allowing assessment on a case-by-case basis and providing discretion to organizations to make appropriate decisions about their breaches.”

Davison refers to previous submissions on the topic: in 2005, when the CBA argued it should be left to individual organizations to determine their own level of risk of data breach;  and 2008, when it recommended that reports to Commissioner be “based on facts alone. We recommend not requiring notices and reports to include speculative assessments of the risk of harm.”

When it comes to reports of breaches, the Section argues for flexibility in timing – to accommodate investigations and to allow the organization to collect as many facts as possible – and in manner of the report, whether the notification should be direct or indirect. It suggest the Office of the Privacy Commissioner could issue instructive guidelines on the topic, as well as around the question of record-keeping – who in an organization should keep the records, for how long, and what information needs to be kept.

“We support establishing these regulations and believe an effective regulatory regime in line with our recommendations will further entrench an organization’s obligations to safeguard personal information and strike an appropriate balance between individual privacy rights and the facilitation of commerce,” Davison concludes.

[0] Comments

CBA members may sign in to comment.