Before 2018, reporting data breaches was voluntary under PIPEDA. In 2018, PIPEDA was amended to require reporting of breaches that risked harming one or more individuals. Now, under PIPEDA, organizations must maintain records of all data breaches for 24 months following the initial discovery of a breach. To put teeth into PIPEDA enforcement, the 2018 amendments also created monetary penalties for non-compliance. Organizations that knowingly violate PIPEDA requirements for proactive security safeguards, data breach reporting, and keeping data breach records may be fined up to $100,000 in Canadian dollars (CAD) per violation. Canada’s Department of Justice decides which cases to prosecute.
What is PIPEDA Canada? The Complaint Process
The PIPEDA Canada complaint process begins when an individual files a complaint with the Office of the Privacy Commissioner of Canada (OPC). When an individual files a complaint under PIPEDA, the OPC first determines whether the matter is covered by PIPEDA. If the matter is not covered by PIPEDA, OPC does not investigate. If the matter is covered by PIPEDA, OPC accepts the complaint and makes an investigation. When appropriate for the privacy issue in question, OPC then works with individuals and companies to resolve complaints in the early stages of the investigation process. If mediation efforts are not successful, a formal investigation is conducted. OPC may find the complaint to be well-founded, or to be not well-founded. If a complaint is found to be well-founded, it can be prosecuted in federal court.