Business as usual
There are no major costs to selling, or losing, personal data so why should companies care?
Only when companies face major legal and financial repercussions for collecting, keeping and selling (or "losing") personal data our data will be reasonably safe. Until then why would any company spend any money on personal data security? Other than the money suggested by the PR dept so they can tell the public that data security is their top job every dime spend on security is a waste.
IMO careless collection, handling and storage of contract data, data collected as part of the contract, is a major contract violation, involves negligence, and requires more compensation than yet more data collection for useless promises of security. Here I would suggest a full refund, plus costs and compensation and no ownership claims to the products sold.
In this case that would be far more than the annual revenue of Nissan Canada and might force a bankruptcy but with changes to our bankruptcy laws it could serve as notice that Canadian citizens have rights and failing to protect those will cost investors and managers alike.
Of course why would the Canadian government do anything like that? The Court and Senate are filled by Appointment approved by our Elite and the only branch with elected positions, the House, uses party discipline to prevent those elected from representing their constituents. The Canadian government is well insulated from the concerns of Citizens, so Nissan and other companies have nothing to worry about other than dealing with PR issues.