It is time for organizations to think ahead and prepare for new requirements imposed under the Digital Privacy Act (formerly known as Bill S-4). The new requirements, which will result in significant amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), will come into force on November 1, 2018.

The new requirements impose mandatory reporting and notification for data breaches. Once in force, organizations subject to PIPEDA will be required to notify the Privacy Commissioner of Canada (the Commissioner) and affected individuals in the event of a data breach. Organizations must do so if the breach could reasonably create a risk of significant harm to an individual. Notification  must be provided as soon as feasible once the breach has occurred, and must contain enough information for the individual to understand the significance of the breach. Failure to notify the Commissioner or affected individuals could result in fines of up to $100,000 or an indictable offence.

The effects of the mandatory reporting will not stop at Canadian borders, as PIPEDA applies to foreign organizations that collect, use, or disclose personal information in the course of commercial activities and have a “real and substantial connection” to Canada. As such, those Canadian and foreign organizations subject to PIPEDA must ensure they have systems in place to meet the upcoming requirements.

An acquirer should be aware of and prepared for these changes to privacy legislation. Specifically, during its due diligence process, where PIPEDA is applicable, acquirers should ensure:

  • Targets are meeting new record-keeping requirements; and
  • The target has reporting systems and policies in place to ensure proper notifications are provided in the event of a breach.

In addition, those due diligence considerations discussed in a previous post on the subject of the European Union’s implementation of the General Data Protection Regulation (GDPR) are equally relevant and applicable in this case.

With just under four short months before the implementation of the new reporting and notification requirements, it is time for organizations to take a step back and ensure they have appropriate measures in place, and are prepared for November 1.

The author would like to thank Manon Landry, summer student, for her assistance in preparing this legal update.

Stay informed on M&A developments and subscribe to our blog today.