Further Comment on the Changes to PIPEDA and the Evolving Data Breach Class Actions Landscape
November 1, 2018 marked the coming into force of mandatory breach notification requirements for Canadian private sector corporations as a result of amendments to the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) through the Digital Privacy Act. Now, where an organization subject to PIPEDA experiences a data breach that gives rise to a “risk of significant harm,” they will be required to: (i) report the incident to the Office of the Privacy Commissioner of Canada; (ii) notify any affected individuals; and (iii) alert any other third parties that are in a position to reduce the risk of harm to affected individuals. See McCarthy Tétrault’s breakdown of PIPEDA’s new legal requirements here.
Notably, these new disclosure requirements may increase data breach class actions, further encouraging the upward trend of this type of litigation in Canada. Over the last few years, Canadian courts have addressed an increasing number of lawsuits, including class actions, initiated by employees, customers and other stakeholders relating to data breaches, cyber attacks and the misuse of personal information. It follows that the rise in public awareness supported by the broad, mandatory reporting obligations of PIPEDA may, in turn, increase the occurrence of class actions.
This is not the first mandatory reporting scheme in Canada. In May 2010, Alberta became the country’s first jurisdiction to implement an incident reporting rule for data breaches by way of the Personal Information Protection Act (“PIPA”). PIPA’s requirements have lead to a wide array of organizations reporting breaches to Alberta’s Office of the Information and Privacy Commissioner, even where only a few Albertans may have been affected.
While the Alberta experience has not led to a clear uptick in data breach class actions, the landscape in Canada is still in its early days of development. The changes to PIPEDA mean that there are now obligatory breach notification requirements spanning across practically all of Canada and the United States. With similar regimes having recently been adopted in Australia and the European Union, the potential for large, multi-national class action suits, like those faced by Equifax, continues to grow.
As high profile data breaches continue to dominate the news both at home and abroad, companies should abide by proactive protection plans and breach prevention measures. Not only will such steps promote compliance with PIPEDA obligations, but may also, as suggested by recent jurisprudence, help to mitigate an organization’s potential liability in the event of a class action.