The breach notification requirements and penalties will not become effective until regulations are issued. Once effective, PIPEDA will require notification when there is a “real risk of significant harm” to the individual. Although breach notification is a welcome change that promises to increase compliance with the existing framework, the Digital Privacy Act’s addition of exemptions from the existing consent requirements gives businesses some slack on the protection of information such as business contact information and personal information in the context of business transactions.
On a related note across the sea, a breach notification law was also passed recently in the Netherlands.
Laura L. Ferguson is an Associate in Locke Lord’s Houston office. She can be reached at lferguson@lockelord.com.
Sign up for our newsletter and get the latest to your inbox.