ARTICLE
28 October 2021

Privacy Laws In Canada: To Infinite Fees And Beyond

SL
Siskinds LLP

Contributor

Since 1937, Siskinds has been that firm of specialists serving individuals, families and businesses in southwestern Ontario and Canada from our offices in London, Sarnia and Quebec City. We’ve grown as the world around us has evolved. Today, we are a team of over 230 lawyers and support staff covering personal, business, personal injury and class action law and over 25 specialized practice areas.
If you're a business that hasn't dotted the i's and crossed the t's when it comes to privacy compliance, then you may have your own Buzz Lightyear—"this is an intergalactic emergency"—moment.
Canada Privacy

If you're a business that hasn't dotted the i's and crossed the t's when it comes to privacy compliance, then you may have your own Buzz Lightyear-"this is an intergalactic emergency"-moment.

Both the Feds and Ontario have proposed new privacy legislation: the Feds introduced the Consumer Privacy Protection Act ("CPPA") and Ontario countered with a white paper entitled "Modernizing Privacy in Ontario" (the "Ontario Proposal"). Both seek to impose massive fines for non-compliance. Importantly, neither are law right now.

The CPPA aims to repeal PIPEDA and introduce new rights, such as the Right to be Forgotten, and strengthen already existing rights. In contrast, the Ontario Proposal arose as a response to criticisms of the CPPA along with Ontario's desire for a "made in Ontario" approach.

Both the CPPA and Ontario Proposal feature Administrative Fines and Statutory Offences with few differences between them.

Administrative fines

Both provide that if an organization violates the Act (for example, by failing to limit collection, obtain consent, dispose of personal information, or secure it properly), the organization could receive a max. fine of $10,000,000 or 3% of gross global revenue, whichever is greater.

But the Ontario Proposal offers a lighter touch by distinguishing an organization (such as a corporation) from an organization that is an individual. Ontario proposes to limit the maximum liability of the individual to $50,000.

Statutory offences

Both have similar statutory offences that capture conduct where an organization knowingly:

  • failed to report a breach to the Commissioner;
  • failed to maintain a record of every breach to PI;
  • failed to retain information subject to an inquiry;
  • failed to abide by a compliance order;
  • re-identified de-identified personal information;
  • sought retribution against a whistleblower; and
  • obstructed the Commissioner or his or her delegate(s) in the investigation of a complaint or an audit.

However, the CPPA goes a tad farther and also prohibits conduct where an organization knowingly gave an insufficient report to the Commissioner and failed to notify individuals of certain breaches to their PI (or gave insufficient notice).

Both provide a maximum fine to an organization of $25,000,000 or 5% of gross global revenue, whichever is greater.

It's still too early to know what will eventually become law. Just know that harsh fines and offences are coming and will be here to stay. Although the proposed fines will not levy "infinite" penalties as the title suggests, the penalties certainly will seem infinite when you compare them to the penalties imposed by previous privacy laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More