What PIPEDA and CPPA Mean for Organizations: Proactive Incident Response in Canada

Canada is no stranger to privacy laws: the country first passed its Personal Information Protection and Electronic Documents Act (PIPEDA) over two decades ago, in 2000. The law includes ten fair information principles that require organizations to obtain consent for collecting, using, or disclosing personal information, gives individuals the right to access their information and challenge its accuracy, and introduces safeguards organizations must follow for protecting personal information. 

Over two decades later, not only has Canada amended PIPEDA several times to strengthen and expand its remit, but the country is also looking to pass new legislation known as the Consumer Privacy Protection Act (CPPA). Currently, PIPEDA carries penalties of up to $100,000 CAD per violation, and CPPA could increase those fines dramatically, making it critical for every organization to understand what’s required under the law.

Who Is Subject to PIPEDA Today?

Private sector organizations across Canada that collect, use, or disclose personal information during commercial activity are subject to PIPEDA. 

The law defines personal information as any factual or subjective information about an identifiable individual, including:

• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status, or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, or intentions (for example, to acquire goods or services or to change jobs)

Further, the law defines commercial activity as any transaction, act, or conduct that is “commercial” in nature, such as selling, bartering, or leasing.

Canada does make several exceptions to PIPEDA compliance for various types of organizations as well as various types of data. 

• Exempt organizations
  • Organizations located in provinces that have enacted substantially similar legislation to PIPEDA can adhere to the provincial laws. These provinces are: Alberta, British Columbia, and Quebec. However, any time personal information crosses provincial or national borders in the course of commercial activities, PIPEDA applies, regardless of the province in which the business is located.
  • Municipalities, universities, schools, and hospitals are generally covered under provincial laws unless they use personal information in a commercial way that is not central to their mandate or responsibilities and not covered by similar provincial law.
  • Not-for-profit and charity groups and political parties and associations are exempt from PIPEDA unless they use personal information in a commercial way that is not central to their mandate.
    
• Exempt types of data
  • Personal information handled by federal government organizations
  • Business contact information, such as employee name, title, business address, telephone number, or email addresses, if that information is collected, used, or disclosed solely for communications related to the individual’s employment
  • Personal information collected, used, or disclosed solely for journalistic, artistic, or literary purposes

Finally, federally regulated organizations that conduct business in Canada are always subject to PIPEDA, and the law also covers the personal information of their employees. These organizations include:

• Airports, aircrafts, and airlines
• Banks
• Inter-provincial or international transportation companies
• Telecommunications companies
• Offshore drilling operations
• Radio and television broadcasters

How Canada Enforces PIPEDA 

The Office of the Privacy Commissioner of Canada (OPC) is responsible for enforcing two privacy laws, one of which is PIPEDA.

The OPC has the power to review, investigate, and enforce PIPEDA. Individuals can file a complaint to the OPC or the commission can identify an issue. In either case, the OPC will review its jurisdiction in the matter and can then accept, deny, or resolve the complaint. When the OPC accepts the complaint, it will launch an investigation that can lead to enforcement activities.

Enforcement mechanisms for PIPEDA include:

• A hearing in federal court
• A public interest disclosure of the issue
• An audit of the organization’s privacy practices
• Compliance agreements to ensure the organization takes certain action to comply with PIPEDA
• A report of offenses

The OPC offers advisory services to help organizations understand the requirements under PIPEDA and how to fully comply with the law. This can include reviewing current privacy practices to identify potential risks and areas for improvement or responding to requests for advice. All of these services are voluntary and free of charge.

How CPPA Would Affect Enforcement 

Currently, violating PIPEDA requirements for proactive security safeguards and data breach reporting and record-keeping can carry a fine of up to $100,000 CAD per violation. Additionally, organizations can face criminal prosecution if they purposely destroy information after receiving a request from the OPC to review that information, take action to retaliate against employees for trying to follow PIPEDA guidelines, or attempt to hinder OPC investigations.

If Canada passes the CPPA, these penalties could increase significantly. The new law proposes fines of up to 3% of global gross revenue or $10 million CAD (whichever is higher) for administrative penalties and fines of up to 5% of global gross revenue or $25 million CAD (whichever is higher) for obstructing investigations or knowingly circumventing requirements. Additionally, CPPA aims to introduce a private right to action that allows individuals to sue for damages in a federal court or superior court.

What Qualifies as a Breach of Security Safeguards Under PIPEDA

A 2018 amendment to PIPEDA made it mandatory for organizations to report any data breach that creates a real risk of harm for individuals and requires organizations to keep records of data breaches for 24 months after the initial discovery.

According to guidance from the OPC, a breach of security safeguards occurs when there is a loss or unauthorized access, use, or disclosure of personal information. Any breaches that carry a “real risk of significant harm” require organizations to notify the OPC, affected individuals, and relevant third parties — regardless of how many people are affected.

The OPC states that organizations can determine whether or not a real risk of significant harm exists by conducting an assessment of the sensitivity of the personal information involved in the breach and weighing the probability that the information could be misused. It also defines significant harm as:

• Bodily harm
• Humiliation, reputational damage, or relationship damage
• Loss of employment, business, or professional opportunities
• Financial loss, identity theft, or any negative impact to credit records
• Damage to or loss of property

Incident Response Measures Required Under PIPEDA

Any organization that experiences a data breach that carries a real risk of significant harm must follow certain incident response requirements under PIPEDA. These include requirements for issuing notifications as well as keeping records about the breach — the latter of which applies regardless of the risk of harm.

Whom to Notify About a Data Breach

Organizations must notify the OPC, affected individuals, and relevant third parties (such as those that process or control the information involved in the breach). They must also notify any government institutions or organizations that might be able to reduce the risk of harm for individuals, such as law enforcement or payment processors.

When to Issue a Data Breach Notification

Organizations must issue data breach notifications as soon as feasibly possible once they have determined a breach has occurred and that it meets the requirements to create a real risk of significant harm.

How to Issue a Data Breach Notification

The notification organizations issue to the OPC must be in writing.

In most cases, the notification organizations issue to individuals must be conspicuous and given directly to individuals in person or by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate in the circumstances.

In certain cases, organizations can issue an indirect notification. These include cases when a direct notification is likely to cause further harm to affected individuals or causes undue hardship for the organization, as well as cases when the organization does not have contact information for affected individuals. An indirect notification is any public communication that can be reasonably expected to reach the individuals, such as advertisements in print or digital newspapers in combination with a prominent notice on the company website.

What to Include in a Data Breach Notification

The notification to the OPC must include the following information:

• The circumstances of the breach and its cause (if it’s known)
• When the breach occurred
• The personal information affected in the breach
• The number of individuals affected by the breach
• Steps taken to reduce the risk of harm to affected individuals
• Steps taken or ones the organization will take to notify affected individuals
• Name and contact information of a contact person

The notification to affected individuals must include the following information:

• The circumstances of the breach and its cause (if it’s known)
• When the breach occurred
• The personal information affected in the breach
• The number of individuals affected by the breach
• Steps taken to reduce the risk of harm to affected individuals
• Steps affected individuals can take to reduce the risk of harm (e.g. changing passwords or monitoring accounts)
• Name and contact information for someone that affected individual can contact to obtain more information about the breach

What Records Organizations Must Keep

Organizations must keep a record of every security breach for at least two years, regardless of whether or not there is a real risk of significant harm.

This record must cover information that helps the OPC confirm compliance with security safeguards and notification requirements. It should also enable the OPC to verify the organization has correctly applied the real risk of significant harm standard.

Details to include in the record include:

• Date or estimated date of the breach
• General description of breach circumstances
• Nature of information involved in the breach
• Whether or not the organization reported the breach to the OPC and affected individuals
• (If the breach was not reported) An explanation of why the organization determined there was no real risk of significant harm

Examples of Incidents That Can Trigger a Notification Under PIPEDA

Any incident that meets the real risk of significant harm standard will trigger a notification under PIPEDA. Common examples of these types of data breach incidents include:

Ransomware

A ransomware attack is a type of digital attack in which malware gets used to steal data and hold it captive in exchange for money. Even if the company gets the data back, any personal information included in the attack was exposed and could present a risk of harm to the individuals. As a result, any ransomware attack can potentially create a real risk of significant harm and therefore require a notification under PIPEDA.

Exfiltration

Exfiltration covers techniques for stealing data, which are used in most cyber attacks. Specifically, data exfiltration occurs when someone gains unauthorized access to data and transfers it to their own servers or devices. If personal information gets compromised during this type of attack, it can meet the standard of real risk of significant harm and require a notification under PIPEDA.

Trojan Attack

A trojan attack is a type of attack in which a malicious program gets hidden inside of a legitimate software program. The malicious program creates an entry point for the attacker to view the user’s digital behavior and access any of their information. This setup can expose personal information, creating a real risk of significant harm and thus requiring a notification under PIPEDA.

How Organizations Can Prepare for PIPEDA

One of the ten fair information principles outlined in PIPEDA is that organizations must be accountable. This accountability includes appointing someone to be responsible for compliance with PIPEDA, protecting personal information held by the organization, and developing a privacy management program with policies and practices for how data will be protected.

To meet these requirements, organizations must take a proactive approach to incident response. Taking a proactive approach includes thinking through three essential phases of incident response:

1) Preparation

Organizations must be ready to quickly and confidently respond when an incident occurs. This readiness is important not only because of Canada’s requirement for organizations to investigate and issue a notification as quickly as possible, but also because doing so can help reduce associated costs. The preparation phase should include:

• Reviewing requirements for incident response outlined in PIPEDA as well as any other relevant laws and contracts with customers and partners
• Developing incident response plans that meet those requirements
• Practicing and testing those plans through tabletop exercises

2) Response

Next, organizations must have the capability to put response plans into action. How effectively an organization responds when an incident occurs can impact compliance with PIPEDA, affect any penalties associated with the incident, and determine the long-term impact with the public. The response phase requires:

• Investigating the incident, including what happened, when it happened, what data was involved, who was affected, and if it meets PIPEDA’s real risk of significant harm standard
• Coordinating workflows internally to gather the necessary information and generate reports
• Taking any steps necessary to correct the issue and mitigate risk for those involved
• Issuing notifications as required by PIPEDA and any other relevant laws

3) Recovery & Ongoing Management

Finally, organizations must make incident response an ongoing effort by regularly reviewing their plans as laws and contracts, and even external threats to data privacy, evolve. This ongoing management is important to meeting PIPEDA’s principle of accountability. These activities should center around:

• Introducing a centralized dashboard that can serve as a single source of truth for all monitoring, reporting, and incident response plans
• Sharing access with key stakeholders to gain their alignment on response plans and ensure they know their responsibilities when an incident occurs

How Canada’s Proposed CPPA Compares to PIPEDA

In November 2020, the Canadian government released draft legislation to update PIPEDA, part of which includes renaming it to the Consumer Privacy Protection Act (CPPA). While CPPA builds on PIPEDA and has a lot of similarities to the current law, there’s a lot more that’s different between the two than just the names.

Some of the biggest ways in which CPPA differs from — and extends the reach of — PIPEDA include:

• Requiring privacy management programs: While PIPEDA’s accountability principle touches on the need for organizations to develop a privacy management program, CPPA takes this even further. It does so by requiring organizations to establish such a program, complete with policies for protecting personal information, dealing with privacy complaints, training staff, and publicizing these policies. Additionally, it gives the OPC permission to access details on an organization’s program at any time.
  
• Formalizing practices around consent: PIPEDA requires organizations to obtain consent for collecting and using personal information. In the course of time, the OPC has developed guidance around meaningful consent (which removes the burden of consent in cases where it doesn’t provide any meaningful privacy protection) and legitimate interests (which outlines cases in which organizations don’t have to obtain consent, such as for delivering requested services or protecting the organization). CPPA formalizes this guidance within the text of the law.
  
• Putting rules around modern data practices: PIPEDA is somewhat outdated when it comes to automated decision-making and de-identified information, both of which are newer data practices that CPPA covers. First, CPPA gives individuals the right to obtain an explanation of how automated decisions about them were made. Second, it eases challenges created by PIPEDA’s definition of personal information as “information about an identifiable individual” by allowing organizations to use de-identified information in certain instances without consent.
  
• Adding new rights for individuals to move and erase data: Following the lead of global privacy laws like California’s CCPA and the EU’s GDPR, CPPA gives individuals the right to data portability, the right to withdraw consent, and the right to request companies delete their data.
  
• Introducing more enforcement measures: CPPA also aims to strengthen enforcement compared to PIPEDA by introducing a new tribunal and increasing penalties for non-compliance. The new Personal Information and Data Privacy Tribunal would have the power to issue penalties, whereas the OPC can only make recommendations and enter agreements, as all fines must come from federal trials. This change would lead to faster enforcement. At the same time, the CPPA proposes increasing penalties for non-compliance and allowing for a private right to action.

Make Proactive Incident Response a Priority

PIPEDA has already evolved several times since it first came into effect two decades ago, and the changes proposed under the CPPA promise to evolve Canada’s privacy law even further. Against this backdrop, organizations must make proactive incident response a priority, as that is the only way to keep up with changes like these from Canada and other countries enacting privacy laws worldwide.

Making proactive incident response a priority is so important because it can also help organizations respond faster when a breach does occur — which will mitigate the fallout and reduce potential penalties. Automation is a critical component. 

Achieving true proactive incident response requires organizations to understand and stay up to date with evolving global privacy laws, assign responsibility for security and incident response, develop incident response plans that are ready to use whenever needed, and regularly evolve those plans as laws and other external circumstances change over time.