Canada’s New Digital Privacy Act

Text of the new Canadian Digital Privacy Act,   which received royal assent June 18, 2015.  It still needs regulations into order to receive its full effect. Here’s some analysis of the new Act (dating from when it was “just a bill,”) written by the Canadian Bar Association.  The new Act amends the Personal Information Protection and Electronic Documents Act (PIPEDA).  Specifically, the new Act requires that businesses report data breaches to affected individuals if the breach presents a “real risk of significant harm” (see Section 10.1) and to government institutions and others under certain circumstances if the business could then mitigate the risk of damage (see Section 10.2)  Businesses must now keep records of all data breaches, even if such data breaches do not need to be reported (see Section 10.3)  Fines for failure to report can reach $100,000 Canadian. Section 18 protects those who report such breaches in good faith from accusations of defamation.