Authors
Norman Chung
Rebecca Amoah
Nash Vijayan
In Canada, private sector provincial and federal privacy legislation has historically been enforced through a “name and shame” regime (with regulators publicly naming organizations that fail to comply).
However, recent and proposed legislative changes are opening the door for Canadian privacy regulators to impose significant fines on organizations that do not comply with new privacy standards. The European Union’s recent experience with privacy law enforcement provides some insight into how Canadian regulators may use this enhanced enforcement power.
In Québec, An Act to modernize legislative provisions as regards the protection of personal information, which introduced enhanced data protection requirements similar to the European General Data Protection Regulation (GDPR), has already entered the first of three stages of implementation. Starting in September 2023, organizations doing business in Québec that are found to be offside these requirements could face significant monetary consequences including:
See our article on Québec’s private sector privacy overhaul for more information.
At the federal level, the Office of the Privacy Commissioner (OPC) can currently pursue fines up to $100,000 for a small number of violations of the Personal Information and Electronic Documents Act (PIPEDA) such as obstruction of investigations or failure to report privacy breaches. However, the recently tabled Bill C-27, aimed at aligning Canada with the GDPR, would significantly increase these enforcement powers.
The proposed changes include the creation of a new Data Protection Tribunal that could impose significant monetary penalties following a finding of a violation by the Office of the Privacy Commissioner (OPC). If the legislation passes, Canadian businesses could face significant monetary consequences similar to those coming into force in Québec next fall, including:
See our article on Bill C-27 for more information about the proposed reforms.
The GDPR became law in Europe on May 25, 2018, introducing a single standard for data protection across the European Union, but leaving enforcement to member states’ national data protection authorities (DPAs).
It has now been nearly four and half years since the GDPR was introduced, and the EU experience may provide some guidance on what Canadian organizations can expect if similar enforcement powers are adopted here. Since May 2018, enforcement by DPAs has been steadily increasing (see Figure 1 below). However, the degree of regulatory scrutiny appears to vary considerably by jurisdiction. This may be explained by the unique resource constraints and policy objectives of each member state’s DPA (for example, at the time of writing, Spain’s DPA had imposed more than 500 published fines under the GDPR, compared to fewer than 30 fines imposed by the French DPA).
In the first two years, enforcement was minimal, likely reflecting an early focus on education. However, by 2021, with three years of being on the books, GDPR enforcement boomed.
In 2021, at the same time that overall enforcement increased, the size of the fines being imposed also grew (see Figure 2 below). In most cases where significant fines were imposed, the organization was found to have failed to handle personal data in a lawful, fair, and transparent manner, or implement sufficient measures to ensure information security.
In 2021, a select number of high-profile enforcement actions resulted in record-setting fines under the GDPR. For example, the Luxembourg DPA imposed a €746 million fine on Amazon Europe Core S.a.r.l. for its targeted consumer advertising systems1. Later that year, Ireland's DPA also imposed a €225 million fine on WhatsApp Ireland Ltd. for failing to provide sufficiently clear information to users about its information processing activities2. Unsurprisingly, consumer-facing businesses appear to face greater regulatory scrutiny.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.