The draft privacy breach regulations under PIPEDA have just been published. They are open for comment for 30 days.
These regulations detail the mechanics of notifying the Privacy Commissioner and individuals when there is a privacy breach. PIPEDA was amended some time ago to require mandatory notification when there is a breach that results in “real risk of significant harm”. Those provisions will come into force after the regulations are passed.
The draft regulations are about what were expected. They are similar to those under Alberta privacy legislation.