Learn which provincial privacy regulators federally regulated companies in Canada must report data breaches to if customers in multiple provinces are impacted. Understand your breach reporting obligations under PIPEDA and provincial privacy laws.
Table of Contents
Question
A federally regulated company based in Ontario has customers in Ontario, Quebec, New Brunswick, Alberta and British Columbia. Unfortunately, a third-party vendor that provides marketing support to the company experiences a privacy breach which impacts the personal information of all its customers across the provinces where it operates.
The Privacy Officer determines that the breach causes a real risk of significant harm to their customers and is tasked with reporting the breach to the relevant regulators.
With which provincial privacy regulators does the company have to file a report?
A. It is unnecessary to file a report with any provinces because the company is federally regulated
B. All of the provinces where its customers are located
C. New Brunswick and British Columbia only
D. Québec and Alberta only
Answer
D. Québec and Alberta only
Explanation
As a federally regulated company, the organization is subject to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, organizations that experience a breach of security safeguards involving personal information under their control must report the breach to the Office of the Privacy Commissioner of Canada (OPC) if it is reasonable to believe the breach creates a real risk of significant harm to individuals.
However, some provinces have their own substantially similar private sector privacy legislation that has been deemed equivalent to PIPEDA. Currently, this includes Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act. Federally regulated organizations operating in provinces with substantially similar legislation must comply with the provincial law for activities within that province.
Quebec and Alberta’s privacy laws contain breach reporting requirements, so the company would need to report the breach to the Commission d’accès à l’information du Québec and the Office of the Information and Privacy Commissioner of Alberta in addition to notifying the federal OPC.
Although B.C. has a substantially similar private sector law, it does not currently have breach reporting obligations. Ontario and New Brunswick do not have substantially similar private sector legislation, so PIPEDA applies and no additional provincial reporting beyond the OPC is required. Therefore, option D is correct – the company must report to the Québec and Alberta regulators only, in addition to the federal reporting requirement.
In summary, as a federally regulated company, the organization must report the breach to the federal OPC under PIPEDA, as well as to the provincial regulators in Quebec and Alberta which have breach reporting requirements in their substantially similar private sector privacy laws. No additional reporting to other provinces is required based on the information provided. The answer thoroughly explains the interplay between PIPEDA and provincial privacy laws for federally regulated companies operating across multiple provinces.
IAPP CIPP-C certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the IAPP CIPP-C exam and earn IAPP CIPP-C certification.