Data Breach Notification Provisions of PIPEDA Act Go Into Effect Nov. 1, 2018

• Pursuant to a March 26, 2018 Order in Council, the mandatory breach notification provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will become effective on November 1, 2018.

• Under the provisions, organizations must notify affected individuals and Canada’s Office of the Federal Privacy Commissioner about a data breach when the breach creates a “real risk of significant harm to the individual,” which includes, among other things, humiliation, damage to reputation and identity theft.

• Notification must be given as soon as possible after the breach has occurred.

Class Actions

Nonusers of Facebook Can’t Sue Under Illinois Biometric Privacy Act

  • A putative class action suit against Facebook under Illinois’ Biometric Information Privacy Act (BIPA) was tossed by the Northern District of California on Tuesday on the ground that Facebook did not use any facial recognition technology on the lead plaintiff, a nonuser of Facebook.
  • According to the order granting Facebook’s motion for summary judgment, Facebook does not use facial recognition on photos uploaded to organizational rather than personal pages. Because the only photo the lead plaintiff was challenging was uploaded to an organizational page, no genuine issues of material facts existed, and the plaintiff could not prove violations of BIPA.


Irish Data Privacy Commissioner Says Agency Will Focus on Transparency

  • Speaking at the International Association of Privacy Professionals’ Privacy Bar Section in Washington, D.C., Helen Dixon, the Data Protection Commissioner for Ireland, shared that the Irish privacy authority intends to focus its GDPR enforcement sights on how companies are complying with their obligations to be transparent about the way they collect and use personal data.
  • “We’re starting with transparency because we think it’s a key concept in empowering data subjects and giving them control of their data,” Dixon said. “Data subjects can’t access their rights if there is no transparency.”


Alabama Becomes 50th State to Pass Data Breach Notification Law

  • On March 28, 2018, Alabama Governor Kay Ivey signed a data breach notification law that requires “covered entities” and their “third-party agents” to notify affected individuals if “sensitive personally identifying information” is acquired without authorization.
  • The Alabama Attorney General and all consumer reporting agencies must be notified within 45 days if more than 1,000 Alabama residents are affected.
  • Third-party agents are required to notify the covered entity within 10 days of discovery of a breach.

New York Attorney General Schneiderman Releases Breach Report, Urges Legislature to Pass New Data Protection Laws

  • On March 29, 2018, New York’s Attorney General Eric T. Schneiderman shared that his office received notice for 1,583 security incidents in 2017, which equates to the potential exposure of sensitive personal information for 9.2 million New York residents.
  • AG Schneiderman also plans to prepare legislation to require social media sites to notify the New York Attorney General office when learning that users’ personal data has been obtained or misused in violation of the law or terms of service.
  • Finally, AG Schneiderman urged the New York legislature to pass his Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which he introduced last fall. Under the SHIELD Act, companies would have a legal responsibility to adopt “reasonable” administrative, technical and physical safeguards for sensitive data. The bill also would expand the types of data that trigger reporting requirements.