Navigating the Legislative Landscape on Data Breaches: 2026 Data Breach Insights – Part 3
This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. Explore the full series.
In this article, we provide an overview of the legislative and regulatory framework governing data breaches in Canada and highlight certain developments from the past year. We do not cover public sector privacy laws in this article.
Breach reporting and notification under privacy laws of general application
Canada’s private-sector privacy law framework is anchored by both federal and provincial statutes that regulate how personal information is collected, used, disclosed and protected. At the federal level, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) remains the privacy statute governing private-sector organizations engaging in commercial activities, including those operating in federally regulated industries such as banking, telecommunications, and inter-provincial transportation.
Under PIPEDA, mandatory reporting of “breach of security safeguards” is required if it is reasonable in the circumstances to believe that the breach poses a “real risk of significant harm” (“RROSH”) to an individual. Significant harm includes financial loss, identity theft, damage to reputation or relationships, loss of employment or business opportunities, humiliation, or other serious impacts. When the RROSH threshold is met, the organization must report the breach to the Office of the Privacy Commissioner of Canada, and notify individuals affected as well as any other organizations or government institutions if they may help reduce the risk of harm. The Breach of Security Safeguards Regulations under PIPEDA set out the specific content requirements for such reports and notifications, and also require organizations to maintain a record of every breach, regardless of whether or not the RROSH test has been met, for 24 months following the occurrence of the breach.
Statutes enacted by the provincial governments of Alberta, British Columbia, and Quebec have been deemed “substantially similar” to PIPEDA and generally apply instead of PIPEDA within those provinces, although PIPEDA continues to apply to federally regulated organizations and to personal information that crosses provincial or national borders.
Alberta’s Personal Information Protection Act (“Alberta PIPA”) essentially mirrors PIPEDA’s RROSH threshold for reporting “any incident involving the loss of or unauthorized access to or disclosure of the personal information” to the Alberta privacy commissioner. While PIPEDA requires notification of affected individuals as soon as the RROSH threshold is met, Alberta PIPA technically only mandates such notification where directed by the Alberta commissioner. In practice, however, organizations usually notify affected individuals concurrently as a proactive compliance measure to demonstrate that reasonable steps have been taken to mitigate potential harm. The Personal Information Protection Act Regulation under Alberta PIPA sets out content requirements for such reports and notifications that are substantially similar to those under PIPEDA.
Under British Columbia’s Personal Information Protection Act (“BC PIPA”), private-sector organizations are not currently subject to mandatory breach reporting to the BC privacy commissioner or mandatory notification to affected individuals. However, the BC commissioner encourages organizations to voluntarily report privacy breaches using its Online Privacy Breach Report Form and to notify affected individuals where the breach presents a risk of significant harm, as part of responsible privacy governance and incident response.
In Quebec, private-sector privacy compliance is governed primarily by the Act respecting the protection of personal information in the private sector (the “Quebec Act”), which has been significantly modernized in recent years, with key amendments coming into force between 2022 and 2024. Since September 22, 2022, Quebec has implemented a mandatory breach reporting regime under which an organization must promptly report to the Quebec privacy commissioner and notify affected individuals of any “confidentiality incident” involving personal information if the incident presents a “risk of serious injury” to the individuals concerned. Although the terminology differs from PIPEDA’s RROSH standard, the two thresholds are comparable in substance. The Regulation respecting confidentiality incidents under the Quebec Act prescribes the content requirements for reports to the Quebec privacy commissioner and notifications to affected individuals. While the structure and wording differ from the federal regime, the substantive information required is generally aligned with PIPEDA. The regulation also requires organizations to maintain a register of all confidentiality incidents for a period of 5 years, regardless of whether the “risk of serious injury” test is met.
In addition to these operational duties, Quebec’s framework is distinguished by a significantly strengthened enforcement regime. Quebec’s privacy commissioner may impose substantial administrative monetary penalties for specified contraventions, including failures to report qualifying incidents, notify affected individuals, or maintain the required register. Maximum administrative monetary penalties may reach the greater of CAD $10 million or 2% of worldwide turnover for the preceding fiscal year, while penal fines for more serious offences may reach the greater of CAD $25 million or 4% of worldwide turnover, creating meaningful regulatory and financial exposure for organizations operating in Quebec.
Bill C-8: proposed mandatory cybersecurity program and incident reporting duties for federally regulated critical sectors
The most significant recent legislative development that may affect the breach response world in Canada is the introduction of Bill C-8, titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. If enacted, Bill C-8 would create a federal framework that substantially expands baseline cybersecurity compliance requirements for certain organizations operating in designated critical sectors under federal jurisdiction.
In particular, Bill C-8 would enact the Critical Cyber Systems Protection Act (“CCSPA”), establishing a regime for the protection of “critical cyber systems” associated with services and systems designated as “vital” for national security or public safety, including banking, telecommunications, energy, transportation, nuclear, and clearing and settlement systems. Organizations on the list of vital services and systems that are also classified as “designated operators” will be subject to a range of new and significant obligations, including requirements to implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents, and comply with binding cybersecurity directions issued by the government.
The CCSPA would require a designated operator to report a cybersecurity incident affecting its critical cyber systems to the Communications Security Establishment within a period set by regulation that cannot exceed 72 hours, and then to notify and provide a copy of the report to the appropriate regulator immediately after reporting to CSE. Which regulator is engaged will depend on the sector in which the designated operator operates, and may include the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions, the Bank of Canada, the Canadian Energy Regulator, or the Canadian Nuclear Safety Commission. This regime is not limited to personal information breaches; it is oriented to the confidentiality, integrity, and availability of critical systems, and it is therefore broader in scope than privacy breach reporting frameworks that focus on harm to individuals.
Under the CCSPA, administrative monetary penalties could be very steep: the regulations may set penalties up to CAD $15,000,000 for organizations and up to CAD $500,000 for individuals. Continuing violations may compound because a violation committed or continued on more than one day constitutes a separate violation for each day. Notably, directors and officers may be held personally liable if they are found to have directed, authorized, or participated in violations or offences. This heightened accountability underscores the importance of board-level engagement and oversight in cybersecurity governance.
As of the date of publication, Bill C‑8 has passed first reading in the Senate and is expected to be referred for committee consideration in the near future. You can monitor the Bill’s progress here.
Bill C-8 is anticipated to continue advancing swiftly through the legislative process. Accordingly, organizations that may be captured by the proposed regime should proactively assess compliance gaps and prepare appropriate compliance strategies. For a more detailed discussion of the proposed CCSPA and practical guidance, please see our dedicated blog post, Bill C-8: What Operators of Critical Cyber Systems Should Know and Do to Prepare their Cybersecurity Programs.
Sector-specific breach reporting requirements
In addition to the generally applicable breach‑of‑security‑safeguards notification obligations under PIPEDA and the substantially similar private-sector provincial privacy statutes, many organizations operating in Canada are subject to sector‑specific data breach reporting requirements. These obligations often arise under industry‑specific legislative or regulatory regimes, including guidance issued by sectoral regulators. Organizations operating in certain regulated sectors may therefore be subject to enhanced, parallel, or distinct breach notification requirements. The following provides a non‑exhaustive overview of how selected sector‑specific breach reporting obligations are currently being applied.
Health sector
Organizations in the health sector in Canada are often subject to breach reporting and notification obligations under sector-specific provincial health information statutes, which may operate alongside generally applicable privacy laws. By way of example, Ontario’s Personal Health Information Protection Act, along with comparable statutes in other provinces, requires health information custodians to notify affected individuals of privacy breaches involving the theft, loss, or unauthorized use or disclosure of personal health information, and to report prescribed categories of such breaches to the relevant provincial privacy commissioner. In Quebec, health and social services information is governed by a dedicated statutory framework, the Act respecting health and social services information, which came into force in July 2024 and contains breach notification and reporting requirements that closely align with those established under the Quebec Act. Accordingly, organizations operating in the healthcare sector or providing services to healthcare institutions and handling health information on their behalf should carefully assess whether sector-specific health information statutes impose additional or overriding breach response, notification, and reporting obligations beyond those arising under generally applicable privacy legislation.
Federally regulated financial institutions
The Office of the Superintendent of Financial Institutions (“OSFI”) has, since 2021, maintained in force a supervisory advisory entitled Technology and Cyber Security Incident Reporting, which adopts a broad approach to incident reporting and imposes stringent timing expectations on federally regulated financial institutions (“FRFIs”). Under the advisory, FRFIs are required to report technology or cybersecurity incidents to OSFI’s Technology Risk Division and their Lead Supervisor at OSFI within 24 hours, or sooner if possible. The advisory defines a technology or cybersecurity incident broadly as “an incident that has an impact, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.” FRFIs include entities such as banks, foreign bank branches, life and fraternal insurance companies, property and casualty insurers, and trust and loan companies.
Quebec financial institutions
The Quebec Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents came into force in April, 2025. The regulation establishes a formal framework governing how certain provincially regulated financial institutions, including insurers, deposit institutions, trust companies, credit unions, and designated credit assessment agents, must manage and report “information security incidents,” defined broadly as any attack on the availability, integrity, or confidentiality of information systems or the data they contain. This definition is intentionally broader than the concept of a “confidentiality incident” under the Quebec Act, capturing operational and system failures (such as server outages) even where no personal information is compromised.
In addition to adopting and maintaining a written information security incident management policy and incident register, covered institutions are subject to mandatory reporting obligations. Once senior management is aware of an incident, it must be reported to the Autorité des marchés financiers within 24 hours. Non-compliance risks administrative monetary penalties ranging from CAD $250 to CAD $500 for a natural person and from CAD $1,000 to CAD $2,500 for covered institutions, depending on the nature of the offence.
Payment service providers
The Retail Payment Activities Act (“RPAA”), which came into force in phases in 2024 and 2025, is the first federal statute specifically governing retail payment activities in Canada. Administered by the Bank of Canada, the RPAA applies to payment service providers (“PSPs”) which are non‑bank entities that perform payment functions such as holding end‑user funds, initiating or authorizing electronic funds transfers, transmitting payment messages, or providing clearing or settlement services.
Among other requirements, the RPAA subjects PSPs to mandatory incident reporting obligations with impact-based thresholds that are tied to operational risk. The RPAA defines an “incident” as “an event or series of related events that is unplanned by a payment service provider and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any retail payment activity that is performed by the payment service provider.” This captures cyber incidents, technology failures, service disruptions, and third‑party incidents that affect payment functions, regardless of whether personal information is compromised. When a reportable incident occurs, a PSP must notify the Bank of Canada and affected individuals or entities “without delay”.
Open banking participating entities
The Consumer-Driven Banking Act (“CDBA”) was enacted on March 26, 2026 as part of Bill C-15 (an omnibus budget implementation bill). The CDBA establishes Canada’s legislative framework for consumer-driven banking (“open banking”), enabling individuals and businesses to direct participating entities to securely share their financial data with accredited third parties within a regulated ecosystem overseen by the Bank of Canada. The CDBA addresses accreditation, security safeguards, consent, authentication, complaints, and enforcement, and is designed to create a standardized, secure data-sharing regime across participating entities. Within that framework, the CDBA introduces a centralized breach reporting regime. Participating entities must report to the Bank of Canada any breach of the security safeguards they implement with respect to consumer data under their control, immediately after determining that a breach has occurred. Consumer notification is required only where it is reasonable to believe that the breach creates a RROSH, substantively mirroring the threshold under PIPEDA. While the CDBA has been enacted, the majority of the operative provisions – including the breach notification requirements – will not come into force until a future date fixed by order of the Governor in Council.
Publicly listed companies
Publicly listed companies are subject to continuous disclosure obligations under Canadian securities laws that may require timely public disclosure of cybersecurity incidents, including data breaches, where such incidents meet applicable materiality thresholds. The Canadian Securities Administrators (“CSA”) have issued guidance confirming that a cybersecurity incident must be disclosed if it constitutes a “material change” or forms part of material risk information requiring disclosure under continuous disclosure rules. In this context, materiality is assessed based on whether the incident would reasonably be expected to have a significant effect on the market price or value of the issuer’s securities. There is no bright-line test; issuers must assess materiality on a case-by-case basis, having regard to the nature and scope of the incident, operational disruption, financial impact, regulatory exposure, litigation risk, reputational harm, and the issuer’s overall risk profile.
Where a cybersecurity incident constitutes a material change, the issuer is required to make timely public disclosure in accordance with applicable Canadian securities laws. Even where a breach does not rise to the level of a material change, issuers are expected to ensure that their ongoing disclosure, including risk factor disclosure and MD&A (management discussion and analysis), appropriately reflects material cybersecurity risks and developments relevant to the issuer’s business. Compliance with these disclosure obligations is overseen and enforced by provincial securities regulators (such as the Ontario Securities Commission and the Autorité des marchés financiers in Quebec), which may review filings, request supplemental disclosure, require corrective filings, or pursue enforcement proceedings where disclosure is deficient or misleading.
This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. As threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To help you stay ahead of these challenges, each part of this series provides actionable insights on data breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
What we mean by “data breach”
When people hear “data breach,” they often think only of incidents involving personal information. In this series, we use the term more broadly. We’re looking at any security incident where sensitive or confidential data is accessed, exfiltrated, published, changed, wiped, or made unavailable without authorization – whether that data belongs to individuals or to the business itself. That includes everything from intellectual property and financial records to operational systems taken offline by ransomware.
To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
