Several years after passing into law, the Canadian government has finally set an effective date for long-overdue data breach disclosure rules. The requirements were included in the Digital Privacy Act that was passed in 2015, but the accompanying regulations literally took years to finalize. Earlier this year, I argued that the failure to expedite security breach disclosure rules was an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free pass to companies that do not adequately safeguard their customers’ information.
Last week, the government quietly passed the Order in Council that will allow the data breach disclosure rules to take effect on November 1, 2018. That delay is longer than I argued was needed in a regulatory submission filed with the government, but given the long delays and the fact that others wanted an even longer phase-in period, it is good to see the data breach disclosure rules finally take effect. It should be noted that there are still some important lingering questions about the content of notices, record keeping, and other related issues that should be addressed by regulation. The government will presumably flesh out the remaining issues with the release of the regulations in the weeks ahead.