In these times of uncertainty regarding privacy must-dos (read GDPR and Privacy Shield), Canada offers us another set of rules to prepare for in the Digital Privacy Act. Passed in June 2015, much of the Digital Privacy Act is already defined and in place.

Canada Digital Privacy Act: New Breach Notification Requirements

One main component, though, the Breach Notification Rule, is under consultation and still somewhat of an unknown. Despite some uncertainty, it’s still possible to prepare for compliance.

The key changes in the Act include:

    • Definition of “valid consent.”
    • Compliance Agreements as an enforcement option for Commissioners
    • Broadening of allowable public disclosures by the Commissioner
    • Scope of PIPEDA – including but not limited to the exclusion of business contact information
    • Exceptions to consent requirements, such as for fraud prevention purposes
    • Extension of time limits for court applications from 45 days to 1 year
    • Breach notification, reporting, and record keeping (not yet in effect)