Businesses that contravene Canada’s privacy laws will face penalties (fines) of up to $10 million or 3% of global revenues and class actions for damages under proposed new privacy legislation that was introduced into Parliament on November 17, 2020, as Bill C-11. Bill C-11 will also authorize the Privacy Commissioner to make wide-ranging compliance orders..
Bill C-11 is the vehicle for enacting two new statutes, the Consumer Privacy Protection Act (CPPA), which replaces the privacy provisions in Personal Information Protection and Electronic Documents Act (PIPEDA), and the Personal Information and Data Protection Tribunal Act.
The CPPA will substantially modify Canada’s privacy laws and impose important new obligations on every business that operates in Canada. Click here for a description of these new rules.
New Enforcement Powers
The new legislation contains new remedies for breaches and gives the Commissioner greatly expanded powers. It will also create a new tribunal, the Personal Information and Data Protection Tribunal.
The Commissioner will continue to combine the roles of investigator, prosecutor, and decision-maker. As investigator, the Commissioner is charged with investigating complaints made under CPPA. The Commissioner can even start the process without a complainant by initiating a complaint or an audit on its own.
The Commissioner retains powerful investigative tools, including the right to compel evidence under oath and search business premises, all without the need for judicial authorization. In addition, Bill C-11 will give the Commissioner a broad new power to make “any interim order that the Commissioner considers appropriate.”
Bill C-11 will divide investigations into two phases: investigations and inquiries. The commencement of an inquiry follows an investigation and opens the door to new remedies, including compliance orders, penalties (akin to fines, but frequently referred to as administrative monetary penalties, or AMPs), and private actions.
Remedies With Teeth
A number of remedies will be available following an investigation or inquiry by the Commissioner:
- Compliance Agreements. The Commissioner and the business can enter into a compliance agreement that is aimed at ensuring compliance with CPPA. Compliance agreements will likely terminate the matter, but they seem only to be available during the investigation phase.
- Decision and Compliance Order. At the conclusion of an inquiry, the Commissioner must release a written decision containing the Commissioner’s findings and reasons for any compliance order that has been made. Compliance orders can require the business to stop conduct that contravenes the CPPA and take affirmative measures to comply with the CPPA.
- Penalties. The Commissioner can recommend that the Personal Information and Data Protection Tribunal impose a penalty of up to 3% of an organization’s global gross or $10 million, whichever is greater.
- Private Actions for Damages. Any individual who is affected by a contravention can sue for damages for loss or injury caused by the contravention. This cause of action is only available if the Commissioner or the Tribunal has made a finding that the organization has contravened CPPA.
- Appeals. Both the respondent business and the complainant can appeal the Commissioner’s findings and orders to the Tribunal.
While compliance agreements are currently available under PIPEDA, there is little incentive for businesses to agree to them. Similarly, PIPEDA contains a mechanism for the Commissioner to obtain court orders requiring an organization to comply with PIPEDA, and even to pay damages, but this provision has been little used.
The lack of effective remedies has long been a major flaw in PIPEDA. It has even led to privacy issues being dealt with by other enforcement authorities. Recently, for example, Facebook paid a $9 million AMP to resolve concerns that it was misrepresenting its privacy polices to consumers. But this AMP was obtained by the Commissioner of Competition under the Competition Act’s deceptive marketing practices provisions, not PIPEDA. (See Facebook’s Multi-million Dollar Settlement.) Likewise, Notesolution Inc. paid a $100,000 AMP to settle allegations that it breached Canada’s Anti-Spam Legislation (CASL). The CRTC alleged that in addition to sending unsolicited emails, Notesolution was collecting personal information stored on student’s computer systems. (See Cassels Represents University of Toronto in OneClass CASL investigation.)
Scalable Penalties
The proposal in Bill C-11 to calculate monetary penalties as a percentage of an organization’s gross global revenue is a first in Canada. Although fines are routinely calculated based on revenue in the European Union, most other AMP regimes in Canada, such as that in the Competition Act, simply establish a maximum dollar amount. It may be that this will be the model for reform of other Canadian penalty regimes.
While penalties can be calculated as a percentage of an organization’s global revenues, there is no mechanism for recognizing penalties or fines that the organization may have paid to privacy enforcers in other jurisdictions. Given that data breaches frequently cross borders, this is a significant omission.
Built for Speed, not Fairness
Businesses facing enforcement under the CPPA will have only limited procedural fairness rights. Limitations on procedural fairness include:
- No Impartial Decision-maker. Because the Commissioner combines the roles of investigator, prosecutor, and decision-maker—and even sometimes also complainant—the Commissioner cannot be described as an impartial or neutral decision maker. Businesses under investigation for privacy breaches will have decisions or orders made against them by the investigator.
- Limited Participation. Businesses have the right to receive notice of the complaint, and, at the inquiry stage, to “be heard” and to be represented by counsel. Businesses do not have the right to disclosure of evidence from the Commissioner, to present evidence (although in practice the Commissioner would likely receive any evidence the business chose to offer), or to cross-examine witnesses.
- Warrantless Search and Seizure. The Commissioner can search premises and seize records without a warrant and compel evidence under oath without prior judicial authorization. While this continues the trend found in other recent federal legislation (such as CASL), it lacks safeguards against excessive demands by the Commissioner.
- No Effective Recourse to the Tribunal. The Tribunal has been set up to be a rubber-stamp of recommendations made by the Commissioner. In determining penalty amounts, the Tribunal is bound by findings made by the Commissioner. The business only has the right to make “representations” (legal arguments) at the hearing; it cannot present evidence, so the only facts before the Tribunal will be those found by the Commissioner. While the business can appeal the Commissioner’s findings, the standard of review is akin to that of an appeal court, which means that an appeal to the Tribunal provides no cure for the lack of impartial decision-making by the Commissioner.
In sum, the enforcement process contemplated by CPPA lacks the procedural fairness guarantees normally associated with regulatory schemes that involve significant penalties, such as disclosure of the case to meet, the ability to test evidence through cross-examination, and an impartial decision-maker. It sacrifices fairness, and potentially justice, in hopes of achieving speedy results. While speed is desirable, the availability of large penalties under CPPA make the lack of procedural fairness troubling.
More Class Actions?
The CPPA includes a private right of action that allows individuals (not legal persons such as corporations) to recover damages for loss or injury caused by contraventions. As with the similar private right of action in the Competition Act, this right will almost certainly be asserted mainly through class actions.
This statutory cause of action is only available after the Commissioner or the Tribunal has found that an organization has contravened the CPPA, however.
It is questionable whether the cause of action in the CPPA will have much impact. Class action plaintiffs now routinely start class actions against businesses that experience data breaches or breach privacy expectations using common law causes of action, as well as statutory causes of action contained in provincial privacy laws. Some of these provincial causes of action are likely to be more attractive to plaintiffs than the private right of action in the CPPA. For example, British Columbia’s Privacy Act makes privacy violations a tort actionable without proof of damage, in contradistinction with the CPPA, which appears to limit damages to compensation for actual losses.
That said, decisions issued by the Commissioner may prove to be a tool for would-be plaintiffs to discover privacy breaches.
Incentive to Settle
While CPPA will undoubtedly lead to an increase in both administrative proceedings against the Commissioner and private litigation, the CPPA contains strong incentives for businesses to settle investigations early on.
This is because entering into a compliance agreement with the Commissioner will avoid negative findings that could trigger penalties and private actions. Indeed, since it is likely that a compliance agreement could include a monetary payment, we expect the Commissioner to demand penalties as part of settlements, just as the CRTC and the Commissioner of Competition routinely obtain penalties in their settlements.
The new obligations imposed on every business operating in Canada under CPPA, coupled with enhanced enforcement and tougher penalties will force businesses to adopt robust compliance programs to ensure that they comply with the new rules and respond promptly and effectively to any privacy breaches.
The Cassels Information Technology & Data Privacy Group can help you get ready for these new rules and respond to investigations by the Commissioners.