While new EU breach notification requirements have received significant media attention, closer to home are the data breach reporting obligations under Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), which took effect on November 1. PIPEDA is a Canadian federal privacy law that broadly governs the collection, maintenance, use and disclosure of Canadian citizens’ personal information during commercial activities. Unlike U.S. privacy laws currently in effect that form a regulatory patchwork of sectoral and industry-specific laws, PIPEDA follows an omnibus approach.
On June 18, 2015, Canada passed various amendments to PIPEDA, including the Digital Privacy Act. Most of the changes were simultaneously effective. However, the mandatory data breach reporting and its related reporting requirements just came into full force on November 1, 2018. Many U.S. companies are not aware that PIPEDA may apply to them.