Canada’s New Data Protection Law Set To Be Effective Nov. 1

With so much attention focusing on the General Data Protection Regulations (GDPR) coming into force in Europe on May 25, 2018, few people are noticing that our friendly northern neighbors have a similar law coming this November. As a software licensing attorney whose clients often license ERP software systems into Canada, I’ve been tracking developments closely.

Called the “Personal Information Protection and Electronic Documents Act” (PIPEDA), Canada’s Parliament originally passed the legislation in 2015. But it got tangled up in more than two years of public comment and rule writing, only receiving what is called “Royal Assent” in April 2018. Although not as stringent as the E.U.’s GDPR, nevertheless it will have a direct impact on not just Canadian businesses but also on U.S. companies with operations in Canada as well as American software developers, vendors and integrators selling to customers north of 49’.

The forthcoming law contains four key requirements:

  • Companies must determine if the breach poses “a real risk of substantial harm” to individuals by conducting an intensive risk assessment that evaluates both the sensitivity of the data and the probability that it might be misused.
  • If it does, the organization must notify both the individuals affected and Canada’s Privacy Commissioner as soon as possible.
  • The affected company must also report the hack and leak to any organization that might be in a position to mitigate the harm to the people affected.
  • An organization must maintain records of data and privacy breaches, providing them to the Privacy Commissioner on request.

The law also provides for stiff penalties for PIPEDA violations. While not as severe as under GDPR, still the Privacy Commissioner may impose fines of up to CDN$10-million (about US$8-million). And there is no doubt that fines will be imposed: There are numerous instances of companies being assessed millions for violating Canada’s very tough anti-spam law that has been in effect for a number of years.

For developers, vendors and integrators struggling to meet GDPR’s requirements, Canada’s PIPEDA may not provide an onerous burden. If you meet GDPR, chances are good you will be PIPEDA compliant, as well. Essentially, PIPEDA codifies existing best practices for data breach reporting and brings Canada in line with the European Union as well as the much laxer U.S. requirements.

Ottawa exempts from PIPEDA organizations in provinces that have adopted similar or tougher privacy regulations unless the business is federally regulated such as banks. Currently, only Albert, British Columbia and Quebec have such a law on the books; the other provinces have privacy laws that apply only to health information.

If you have any questions about PIPEDA and other privacy requirements in Canada, get in touch with a software licensing lawyer.

By Marcus Harris