Our comments in response to the OPC Notice of consultation on new mandatory breach reporting guidance

Brad Freedman, François Joli-coeur and I have submitted comments on October 2, 2018 in response to the Notice of consultation on new mandatory breach reporting guidance and form issued by the Office of the Privacy Commissioner of Canada (“OPC”).

The Notice invites comments regarding the OPC’s draft guidance, published September 17, 2018, regarding the breach of security safeguards provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA), which provisions come into force on November 1, 2018.

Our comments – which are made in our individual capacity – are limited to the part of the draft guidance under the heading “Who is responsible for reporting the breach?”. In particular, our comments relate to the draft guidance that a breach report must submitted by “all organizations involved in the breach”, and the illustrative example that both an organization that collects personal information (Company A) and its data processing service provider (Company B) are obligated to report a breach to the OPC.

In our view, those aspects of the draft guidance are contrary to the plain language of PIPEDA’s breach of security safeguards provisions and inconsistent with the approach taken in other personal information protection regimes, and could have potentially serious adverse practical consequences.

Read our comments.

This content has been updated on October 3, 2018 at 22 h 28 min.