Consultation on New Data Breach Regulations

The federal Personal Information Privacy and Electronic Documents Act (PIPEDA) sets the basic legal framework for how private-sector organizations can handle and use the personal data of Canadians. In 2015, PIPEDA was amended to include mandatory reporting of data breaches that compromise the security of personal data under a company’s care. The requirements include reporting to both the government, through the Office of the Privacy Commissioner, and to impacted individuals so they can take steps to mitigate potential damage. This past March, Innovation Science and Economic Development Canada (ISED) began the process of consulting on potential new regulations to implement the notification rules (view ISED’s discussion document).

New regulations in this area could have a significant impact on our industry, and it’s important the government gets them right. To this end when consultations were launched, ITAC reached out to get our members informed and involved on this issue. In March ITAC hosted two webinars with ISED staff to discuss the scope of the proposed regulations, which were attended by over 70 member companies. We also launched an online survey to take in members’ views and established a working group to develop an industry position.

In our final response paper, submitted on May 31st, ITAC takes the position that any new regulations should aim to protect the interests of consumers without undermining innovation or creating unnecessary administrative burden. The response stresses that the new regulations should take a principles based approach that focuses on outcomes and allows for flexibility in implementation. A considerable grace period should be included before new rules come into effect to allow for adequate training and resource allocation. The government should also take steps to make it easier for businesses to comply by providing compliance support materials (templates, checklists, etc.) and launching new programs to help SMEs adopt appropriate cyber security safeguards.

ITAC understands that ISED is aiming to develop draft regulations for the fall of 2016. ITAC will work closely with ISED and our members to monitor this issue and ensure the new regulations protect the privacy of Canadians while minimizing unnecessary regulatory burden and cost for industry.

You can view ITAC’s full consultation submission to ISED – ITAC Data Breach Response May 2015

If you have any questions on this issue, please contact David Messer at