Artigo sobre Legislação de Privacidade Brasil x Canadá

CANADA

In Canada, organizations that have experienced a privacy breach, in most cases, will have a legal duty to notify the individuals affected by the breach, as well as relevant regulatory bodies. Such obligations can be found in various laws and regulations that govern the protection of personal information in the private and public sectors. These laws include the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as substantially similar provincial laws in three provinces:

  • Alberta (the Personal Information Protection Act – “PIPA AB”);
  • British Columbia (the Personal Information Protection Act – “PIPA BC”), and;
  • Quebec (the Act Respecting the Protection of Personal Information in the Private Sector – “Private Sector Act))

It is important to note that PIPEDA applies to “Federal works, undertakings, and businesses” as defined in the legislation (e.g., banks, airlines, and telecommunications companies). PIPEDA also applies to organizations engaged in commercial activities in provinces without substantially similar privacy legislation, such as Ontario, Manitoba, and Saskatchewan. Finally, PIPEDA applies to inter-provincial and international data transfers. In provinces with substantially similar legislation (Alberta, British Columbia and Quebec), the provincial laws mentioned above take precedence over PIPEDA for intra-provincial commercial activities.

Threshold Test for Notification & Content of Notification

PIPEDA

Under PIPEDA, organizations must notify the Office of the Privacy Commissioner of Canada (“OPC”) and affected individuals about a breach of security safeguards involving personal information if it is reasonable to believe that the breach creates a “real risk of significant harm” to the individual (also known as the “RROSH” test). In this context, the notion of “significant harm” includes bodily harm, reputational damage, loss of employment, and identity theft (PIPEDA, s 10.1(7)).

Notification must be made as soon as feasible after the organization determines that the breach has occurred. The organization’s notification must notably include details about the breach, the personal information involved, steps taken to mitigate the harm, and contact information for further information.

Quebec Private Sector Act

Quebec’s privacy act has been recently updated to include more detailed breach notification requirements, including an obligation to notify the privacy regulator, as well as affected individuals, if the breach poses a serious risk of injury to individuals. This threshold is similar to the one found under PIPEDA. The notion of “injury” includes physical harm, significant humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, and other significant harm.

There is no specific timeline for notification, but organizations must report the incident “promptly”. The organization’s notification must notably include a description of the breach, the personal information involved, steps taken to mitigate the harm, and contact information for further assistance.

PIPA AB

In Alberta, any incident involving the loss of or unauthorized access to or disclosure of personal information that creates a “real risk of significant harm” to individuals must be notified to the Office of the Information and Privacy Commissioner of Alberta (“OIPC AB”), and to affected individuals. Similar to PIPEDA, the definition of “significant harm” includes physical harm, damage to reputation or relationships, financial loss, identity theft, and negative effects on credit records.

Notification must be made without unreasonable delay. Similar to PIPEDA, the organization’s notification must notably include a description of the breach, the personal information involved, potential harm, and steps taken to mitigate the harm.

PIPA BC

While PIPA BC does not contain any provision that makes disclosure of data breaches to a regulator or affected individual mandatory, organizations are encouraged to report significant breaches.

Record Keeping Obligations

Similar to Brazil, PIPEDA establishes a record keeping requirement. Every breach, regardless of whether it meets the threshold test for disclosure, must be recorded with the understanding that the OPC may request such records. Organizations must keep records for 2 years once they have identified a breach. The Quebec Private Sector Act is the only provincial law to have a similar requirement, with organizations having to maintain similar records of breaches, for a period of 5 years.

Please see the graph below for an overview of the Canadian privacy breach notification requirements:

BRAZIL

The National Data Protection Authority (ANPD), according to Law n° 13.709/2018 (Lei Geral de Proteção de Dados – LGPD) recently published the Resolution CD/ANPD nº 15, of April 24, 2024, which approves the Security Incident Communication Regulation.

Among the main aspects established by the regulation, the Resolution determines that the controller must communicate ANPD and the data holders the occurrence of a security incident that could cause relevant risk or damage, defined as those that could significantly affect fundamental interests and rights, and, cumulatively, involved at least one of the following criteria: (i) sensitive personal data; (ii) data from children, adolescents or elderly people; (iii) financial data; (iv) system authentication data; (v) data protected by legal, judicial or professional secrecy; and (vi) large-scale data;

The incident must be communicated to ANPD by the controller using an electronic form made available by ANPD, within three business days of the controller becoming aware that the incident affected personal data. This communication may be supplemented within 20 working days of its completion;

The incident must be communicated to the affected data holders directly and individually (by telephone, e-mail, message, letter or other similar means) when it is possible to identify them, within three business days of becoming aware of the data breach by the data controller. If it is not possible to identify the affected holders, communication must take place through a way that allows broad and easy knowledge, such as the controller’s website, applications, social media and support channels for data holders, for a minimum period of three months;

Records about the security incident, even when not communicated to the ANPD and holders, must be kept by the controller for at least five years.

Therefore, in addition to being prepared to act diligently, assertively and quickly, companies will need to be ready to document the entire incident and its identification, response, remediation and communication stages.

The record must contain, at a minimum:

  1. a description of the nature and category of the affected personal data;
  2. the technical and security measures used to protect data, observing commercial and industrial secrets;
  3. the risks related to the incident with identification of possible impacts on holders;
  4. the reasons for the delay, if the communication was not made within the period established in the caput of article 6 of the resolution;
  5. the measures that have been or will be adopted to reverse or mitigate the effects of the incident, when applicable;
  6. the date the security incident became known; and
  7. the contact for obtaining information – and, when applicable, the contact details of the Data Protection Officer.

At any time, the ANPD may require the data controller to present the record of the affected data processing operations, the Data Protection Impact Report and the Incident Treatment Report, which contain relevant information to describe the incident and the measures taken.

In view of this, the controller must be prepared not only to carry out communications in the required content and form, but also be ready to report for its activities in relation to the data infraction. It’s important to show compliance procedures before, during and after the breach.

Learn more about the authors

Me Marc-Antoine Bigras
Associate Attorney | Privacy & Data Protection
Paulo Perrotti
Coordinator of the CCBC Compliance and ESG Commission