How the New Digital Privacy Act Will Keep You Aware of Corporate Data Breaches

4 September 2015

This June, Industry Minister James Moore announced a new law that modernizes Canada’s existing private sector privacy mandates. In addition to setting clear rules for how personal information can be collected, used and disclosed, the law requires organizations to notify both the Privacy Commissioner and affected individuals in the event of a security breach.

Referred to as the Digital Privacy Act (DPA), the new law amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), carefully outlining the conditions in which companies must communicate news of security lapses to consumers. Under the new law, which received Royal Assent on June 18 of this year, organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves. If a company should fail to communicate these security risks to its customers or to the Privacy Commissioner, it could be subject to up to $100,000 in fines.

The Digital Privacy Act delineates situations in which consumers must be notified as instances when a breach puts them at real risk of “significant harm.” While broad, the definition of “significant harm” is expressly defined in the language of the act as:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • identity theft
  • Damage to or loss of property

In addition, the DPA further protects consumers by mandating that companies’ security-related communication is written in clear, simple language so that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.

“Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians,” said Daniel Therrien, Privacy Commissioner of Canada. “Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach.”

Although the act identifies the conditions under which a breach must be disclosed, it does not define the specific manner in which this communication should take place. Because of this gap, while other rules put forth by DPA will be enforced right away, the data breach rules will not come into force until “regulations outlining data breach requirements are completed.”

While the Digital Privacy Act provides stringent rules regarding disclosure, it is more flexible in other areas. In an effort to adapt to a modern online landscape that necessitates businesses to use personal information to conduct normal everyday activities, the act removes PIPEDA barriers that prevented businesses from using personal information to detect financial abuse or to communicate with the parents of an injured child.

“The Digital Privacy Act will protect the personal information of Canadians online,” said Minister of Industry James Moore. “It will hold companies to account when Canadians’ personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats.”

As Moore mentioned, the Privacy Commissioner has been given new powers in order to enforce the DPA. These include the ability to form compliance agreements with organizations the Commissioner has reasonable grounds to believe may have committed, or are likely to commit, a breach of PIPEDA privacy mandates. These “agreements” are loosely defined, and can contain any terms the Commissioner deems necessary to ensure compliance. If needed, the Commissioner may go to courts to ensure organizations comply with the agreements.

As the lawmaker continue to pass legislature to attempt to protect consumers, give yourself some peace of mind and subscribe to a credit monitoring service like, Identity Guard, to help you stay informed in the event of a security breach.

02