How Long Does A Company Have To Notify Employees of a Data Breach under GDPR, PIPEDA and PIPA

If a company has a data breach involving personal data (i.e. staff names, addresses, Social Insurance numbers), there are three laws that may apply in Canada:

1 – PIPEDA – Personal Information Protection and Electronic Documents Act – Canada

PIPEDA is Canada’s federal law covering cyber privacy and mandates that “… notification shall be given as soon as feasible…”.  We have called the Office of the Privacy Commissioner who is the regulator and asked for clarification on what “…as soon as feasible…” actually means and was told:

• there current is no hard set number of days, but intent of the April 2018 update to PIPEDA was to bring it more inline with GDPR (which has a 3 day notification requirement)
• no statistics have been publicly generated but from a quick review it appears that most notifications are given to employees within 7 days/ 5 working days

The exact phrasing we received over the phone as “as soon as is feasible after an organization finds out that a breach could cause significant harm”.

Two important PIPEDA exemptions are:

PIPEDA does not apply to an employee’s name, title, business address, telephone number and email address,–which an organization collects, uses or discloses solely for the purpose of communicating with individuals in relation to their employment, business or profession. PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes

2 – PIPA – Personal Information Protection Act – Provinces

PIPA is the Alberta, British Columbia and Quebec privacy legislation:

• Alberta – Companies must notify staff and the Alberta Privacy Commissioner of data breaches “… without unreasonable delay…”.  We called the Alberta Privacy Commission and asked for a practical clarification of this ever closing window and was told that the vast majority of submissions to the commissioner occur within 5 days of a company becoming aware of a breach
• British Columbia’s PIPA & Quebec’s Protection of Personal Information act do not appear to have a notification articles in their legislation which means they would default back to the Federal PIPEDA standard of one week.

3 – GDPR – The General Data Protection Regulation – EU

GDPR is a European Union based privacy law with wide powers over that requires companies to notify affected affected people and the EU’s Privacy Commissioner of a data breach within 72 hours.  Currently the law covering citizens living outside of the EU is mostly discussed in Articles 3 and 20 of GDPR and has not been tested/clarified in court.  GDPR categorizes people as “Data Subjects” and does not distinguish between citizens and residents.  If you are an EU resident in Canada you will be able to find lawyers with logical arguments on both sides of this position, but as it stands in early 2019, it appears that GDPR will apply to citizens of the EU living in Canada, the US or other parts of the world.

It is not uncommon to see summaries like: “…Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.”

Note that there is an higher standard of care required for medical information disclosures but those are not the topic we are considering here.

A Data Breach Has Occured, What Now?

For additional information we suggest you consult a privacy lawyer and skim the following articles:

1. An Overview of the Office of the Privacy Commissioner of Canada and Federal Privacy Legislation
2. What you need to know about mandatory reporting of breaches of security safeguards
3. Understanding the GDPR Data Breach Reporting Timeline