A first attempt at proposing an amendment at the federal level to add a breach notification obligation to PIPEDA privacy legislation was initially introduced through Bill C-29 in May 2010. It died when the election was called in spring 2011. Bill C-12, identical to C-29, was introduced in September 2011 but has not been moved forward.
A new proposal which has received the support of key industry players was introduced in February. The private member’s Bill C-475 adds clear and mandatory security breach disclosure requirements to the PIPEDA federal law along with significant penalties for compliance failures.
Under Bill C-475, an organization having personal information under its control would have to notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the security breach.