Government Releases Proposed Security Breach Regulations

The long-awaited draft of the mandatory Breach of Security Safeguards Regulations for Canada were recently released by the Ministry of Innovation, Science and Economic Development Canada (ISED). Organizations have 30 days to comment as part of the formal stakeholder consultation process.

The proposed regulations include specific requirements regarding:

  • the content, form and manner of reporting of security breaches to the Office of the Privacy Commissioner of Canada;
  • the content, form and manner of security breach notification to affected individuals; and
  • scope and retention period of breach record-keeping.


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity. On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended PIPEDA to include, among other things, mandatory data breach reporting requirements.

Next Steps

Organizations have 30 days to comment on the proposed regulations as part of the formal stakeholder consultation process. The government will then evaluate that input before publishing the final regulations. To give companies time to prepare and ensure compliance readiness, there will be a delay before the regulations take effect, not likely to be before the second half of 2018.

The Canadian privacy arena will be significantly impacted by PIPEDA's new security breach notification regime. Non-compliant companies could receive fines or be ordered to change their practices.

CMA will participate in the formal stakeholder consultation process and will be making its written submission available on CMA’s government submissions webpage.

Questions, comments or input can be directed to Cristina Onosé at

Tags: breach, privacy, ised, canada, pipeda