How Long Does A Company Have To Notify Employees of a Data Breach under GDPR, PIPEDA and PIPA

If a company has a data breach involving personal data (i.e. staff names, addresses, Social Insurance numbers), there are three laws that may apply in Canada:

1 – PIPEDA – Personal Information Protection and Electronic Documents Act – Canada

PIPEDA is Canada’s federal law covering cyber privacy and mandates that “… notification shall be given as soon as feasible…”.  We have called the Office of the Privacy Commissioner who is the regulator and asked for clarification on what “…as soon as feasible…” actually means and was told:

  • there current is no hard set number of days, but intent of the April 2018 update to PIPEDA was to bring it more inline with GDPR (which has a 3 day notification requirement)
  • no statistics have been publicly generated but from a quick review it appears that most notifications are given to employees within 7 days/ 5 working days

The exact phrasing we received over the phone as “as soon as is feasible after an organization finds out that a breach could cause significant harm”.

Two important PIPEDA exemptions are:

PIPEDA does not apply to an employee’s name, title, business address, telephone number and email address,–which an organization collects, uses or discloses solely for the purpose of communicating with individuals in relation to their employment, business or profession. PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes

2 – PIPA – Personal Information Protection Act – Provinces

PIPA is the Alberta, British Columbia and Quebec privacy legislation:

3 – GDPR – The General Data Protection Regulation – EU

GDPR Notification TimelineGDPR is a European Union based privacy law with wide powers over that requires companies to notify affected affected people and the EU’s Privacy Commissioner of a data breach within 72 hours.  Currently the law covering citizens living outside of the EU is mostly discussed in Articles 3 and 20 of GDPR and has not been tested/clarified in court.  GDPR categorizes people as “Data Subjects” and does not distinguish between citizens and residents.  If you are an EU resident in Canada you will be able to find lawyers with logical arguments on both sides of this position, but as it stands in early 2019, it appears that GDPR will apply to citizens of the EU living in Canada, the US or other parts of the world.

It is not uncommon to see summaries like: “…Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.”

Note that there is an higher standard of care required for medical information disclosures but those are not the topic we are considering here.

A Data Breach Has Occured, What Now?

For additional information we suggest you consult a privacy lawyer and skim the following articles:

  1. An Overview of the Office of the Privacy Commissioner of Canada and Federal Privacy Legislation
  2. What you need to know about mandatory reporting of breaches of security safeguards
  3. Understanding the GDPR Data Breach Reporting Timeline

Leave a Reply

Your email address will not be published.

Name *
Email *