InfoWatch analytics lab reports, earlier this month (May 1, 2010), Alberta became the first Canadian province to pass a broad breach notice law (“Bill 54”) as part of their comprehensive data privacy statute, the Personal Information Protection Act (“the Act”; technically, Alberta is the second province to pass a breach notice law in Canada, Ontario previously passed a breach notice law that focuses on health information custodians).
It will be interesting to see whether the Alberta law ushers in the passage of additional provincial laws similar to way California's SB 1386 lead to breach notice laws in over forty U.S. states. There appear to be several breach notice initiatives at the provincial and federal level in Canada, some of which may be on the verge of passing. If a wave of breach notice laws do pass throughout Canada, it will be interesting to see if it will have the same impact as in the United States (e.g. frequent reporting of breaches, lawsuits, etc.). It will also be interesting to see whether the Canadian approach differs from the U.S. approach.
This blog post breaks down Alberta’s breach notice provisions in a “Frequently Asked Questions” format, and includes commentary and comparisons to existing U.S. law. Note that the Act also now includes obligations concerning collecting and transferring of personal information outside of Canada. That is also discussed briefly in this blog post.
Obligations Concerning Personal Information Collection and Transfer Outside of Canada
First, before diving into the FAQ on the breach notice provisions of Bill 54, let’s take a quick look an amendment in Bill 54 that addresses the use of service providers outside of Canada for purposes of collecting or transferring personal information. Bill 54 added the following provision to the Act:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of (a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and (b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
While this provision does not require an individual’s consent to use a service provider outside of Canada, it does require certain notice of certain information to the individual prior to collecting or transferring personal information to such service providers. This specific information referenced in the Act can probably be put into an organization’s privacy policy. However, for organizations that have existing non-Canadian service provider relationships, a process must be put in place to provide notice to individuals. This provision may also have implications with respect to Cloud computing. Some organizations in Canada using the Cloud may not know whether personal information is being transferred outside of the United States. As such, these organizations may have to examine their existing service provider relationships, including identifying subcontractors outside of Canada that service providers may be using.
FAQ on the Personal Information Protection Act’s Breach Notice Obligations.
What breach notification obligations are set forth in Alberta’s breach notice law?
There are actually two potential notification obligations in Alberta’s breach notice law. The primary obligation requires organizations to provide notice to Alberta’s Information and Privacy Commissioner (the “Commissioner”):
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
(emphasis supplied). In addition, organizations that suffer a breach may also have to provide notice to the impacted individuals:
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
(emphasis supplied). Two points jump out based on these duties. First, it appears that any notice obligation for individuals applies only to those individuals as to whom there is a “real risk of significant harm.” So with respect to a particular breach, this may involve only a subset of those individuals whose personal information was subject to loss or unauthorized access. Second, even if a real risk of significant harm does exist, there is no automatic mandatory reporting obligation to the impacted individuals. Rather, there is only a reporting obligation if the Commissioner requires reporting. At the end of the day however, depending on the regulations and procedures created by the Commissioner, this notification obligation may effectively become “mandatory.” In fact, subsection 37.1(3) requires the Commissioner to establish an “expedited process” for determining whether to require notification where the harm to the individual is “obvious and immediate.”
Differences against U.S. State breach notice laws:
Regulator Involvement. The obvious difference between Alberta and most U.S. breach notice laws is that the primary notification obligation is to the regulators. In the U.S. the breach notice laws require notification to the impacted individuals, and some also require concurrent notification to the state regulators (e.g. state attorneys general). In addition, the U.S. breach notice laws typically do not give the regulators discretion as to whether to require notice to individuals. Harm Threshold. Like some state breach notice laws, Alberta’s law has a “harm” threshold built into it. While no U.S. breach notice law uses the “real risk of significant harm” terminology, some states do require a material risk of harm, a material compromise, a material risk of identity theft, or similar. While it is difficult to compare harm standards, and more research would be necessary to get a clearer picture, it appears that the real risk of significant harm threshold is relatively high. The term does not appear to be defined in the Act itself, but perhaps the Commissioner will get an opportunity to clarify its meaning as it develops regulations and processes for managing the notifications it receives.What kind of information does the Alberta breach notice law apply to?
It applies to “personal information”, which is defined as follows:
“personal information” means information about an identifiable individual.
Differences against U.S. State breach notice laws:
No residency requirement. Unlike U.S. state laws, the residency of the individual does not matter. Personal information could relate to any individual whether a resident of Alberta or not. This could serve to limit the Commissioner’s jurisdiction to some degree. In the U.S. states, a state breach notice law could apply to a company with little to no “presence” in that state simply if they held personal information of a resident. Under Alberta’s law, there may need to be more traditional “doing business” jurisdiction for this law to apply. However, this jurisdictional issue is outside of the scope of this article (Michael Power, please weigh in if you would like/have the time). Less precise definition than U.S. breach notice laws. In U.S. breach notice laws the definition of “personal information” or “personally identifiable information” is more precise: typically requiring first name/first initial and last name, in combination with some kind of a account number. The concept of “identifiable individual” is arguably a broader concept than PI or PII in the United States, and therefore there may be instances of reporting required under Alberta’s law that may not be required under U.S. law (on the argument that PI or PII was not at issue as defined under the U.S. breach notice law[s]).