The Public Interest Advocacy Centre (PIAC) recently released a report looking into data breach notification in Canada and whether current and proposed legislation, Bill C-12, is adequate to protect consumers. Alberta currently has the only data breach notification law in Canada.
The report, "Data Breaches: Worth Noticing?", is in part based on consumer feedback that indicates consumers believe they have a right to be notified of a data breach.
The report concludes that the proposed legislation is insufficient because it allows for "excessive discretion to organizations that have had a breach, allowing them to unilaterally characterize the breach as non-harmful to consumers."
The report concludes with recommended modifications to Bill C-12 to define the notification window for data breaches, to implement financial penalties for unreported breaches, to allow the privacy commissioner to define harm / notification requirement and to require that notification to consumers be made public, among other recommendations.