On September 2, 2017, the Government of Canada published the proposed Breach of Security Safeguards Regulations (“Regulations”). The proposed Regulations provide additional clarity and substance to the mandatory requirements for breaches of security safeguards which were added to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in June 2015 but have yet to be declared into force. The Government of Canada will be accepting comments on the proposed Regulations until October 2, 2017.
The new breach notification requirements will add significant financial and administrative burdens for organizations handling personal information regulated by PIPEDA, including organizations located outside of Canada which collect, use or disclose personal information about Canadian individuals.
The leak of the confidential files of a Panamanian law firm, dubbed the “Panama Papers,” has generated much press coverage, but there has been surprisingly little comment about the privacy rights of those named in, or linked to, the disclosures. It seems obvious that the public exposure of the personal information (“PI”) contained in the documents that were unlawfully obtained by an anonymous hacker raises serious privacy concerns for those individuals who are named. In fact, the International Consortium of Investigative Journalists (“ICIJ”) and other media outlets could well be facing regulatory complaints or even tort claims for unauthorized use of PI and/or invasion of privacy under Canadian law. If so, the release of PI by ICIJ members could qualify as the largest intentional privacy breach ever made in Canada by an identifiable entity.