In two previous posts, I provided an outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta) and I discussed the factors that the Alberta Privacy Commissioner considers when deciding whether to make an order requiring an organization to notify individuals of a privacy breach. This post describes the consequences to an organization of failing to comply with privacy breach notifications under the Alberta Act.
An organization over which the Alberta Privacy Commissioner has jurisdiction must make a notification to the Alberta Privacy Commissioner of a breach that a reasonable person would consider to involve a real risk of significant harm. The Canadian approach to jurisdiction requires that there be a real and substantial connection regarding the subject matter of the incident and Alberta before the Alberta Privacy Commissioner claims jurisdiction.
The outer limits of the real and substantial connection test in respect of privacy issues has not been fully developed. The test will be satisfied where the organization (other than a federally regulated organization) has a place of business or registered office in Alberta. Federally regulated organizations are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
When dealing with foreign organizations, the real and substantial connection test is likely to be satisfied where a foreign organization has representatives in Alberta conducting business on its behalf collecting personal information of residents of Alberta even though that organization does not maintain an office in Alberta. The test may also be met if a foreign organization is engaged in non-trivial activities in Alberta through electronic means that involve the collection, use and disclosure of personal information of persons resident in Alberta even when the organization does not have representatives in Alberta. However, each situation involving foreign organizations must be assessed on a case by case basis.
If the Alberta Act applies, then it is an offence under paragraph 59(1)(e.1) of the Alberta Act to fail to provide the required notification to the Privacy Commissioner of a privacy breach that meets the harm-based threshold discussed in Wednesday’s post.
It is also an offence under paragraph 59(1)(f) not to comply with an order of the Privacy Commissioner to provide notification to affected individuals, which was discussed in Thursday’s post.
These offences are punishable by a fine of up to Cdn. $10,000 for an individual and Cdn. $100,000 for a corporation or other entity. There is a two-year limitation period on prosecutions.
In August 2011, the Alberta Privacy Commissioner reported that there had been 90 reported breaches in 16 months. Most of the breaches involved human error, including mundane email, fax or regular mail errors and stolen or lost unencrypted electronic devices, improper record and electronic media destruction.