If you're a business that hasn't dotted the i's and crossed the t's when it comes to privacy compliance, then you may have your own Buzz Lightyear-"this is an intergalactic emergency"-moment.
Both the Feds and Ontario have proposed new privacy legislation: the Feds introduced the Consumer Privacy Protection Act ("CPPA") and Ontario countered with a white paper entitled "Modernizing Privacy in Ontario" (the "Ontario Proposal"). Both seek to impose massive fines for non-compliance. Importantly, neither are law right now.
The CPPA aims to repeal PIPEDA and introduce new rights, such as the Right to be Forgotten, and strengthen already existing rights. In contrast, the Ontario Proposal arose as a response to criticisms of the CPPA along with Ontario's desire for a "made in Ontario" approach.
Both the CPPA and Ontario Proposal feature Administrative Fines and Statutory Offences with few differences between them.
Administrative fines
Both provide that if an organization violates the Act (for example, by failing to limit collection, obtain consent, dispose of personal information, or secure it properly), the organization could receive a max. fine of $10,000,000 or 3% of gross global revenue, whichever is greater.
But the Ontario Proposal offers a lighter touch by distinguishing an organization (such as a corporation) from an organization that is an individual. Ontario proposes to limit the maximum liability of the individual to $50,000.
Statutory offences
Both have similar statutory offences that capture conduct where an organization knowingly:
- failed to report a breach to the Commissioner;
- failed to maintain a record of every breach to PI;
- failed to retain information subject to an inquiry;
- failed to abide by a compliance order;
- re-identified de-identified personal information;
- sought retribution against a whistleblower; and
- obstructed the Commissioner or his or her delegate(s) in the investigation of a complaint or an audit.
However, the CPPA goes a tad farther and also prohibits conduct where an organization knowingly gave an insufficient report to the Commissioner and failed to notify individuals of certain breaches to their PI (or gave insufficient notice).
Both provide a maximum fine to an organization of $25,000,000 or 5% of gross global revenue, whichever is greater.
It's still too early to know what will eventually become law. Just know that harsh fines and offences are coming and will be here to stay. Although the proposed fines will not levy "infinite" penalties as the title suggests, the penalties certainly will seem infinite when you compare them to the penalties imposed by previous privacy laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.