Part 1 of this bulletin aimed to provide a high-level compliance guide to the Act, from the perspective of privacy officers of organizations that are already PIPEDA compliant, and are just seeking specific guidance as to what are the net new compliance requirements. Part 2 now identifies key “hot button” compliance issues in the Act, based on the Act’s penalty provisions.
2. Hot Button Compliance Issues in the New Act
As we have noted, one of the most significant aspects of the proposed Act is the significant range of enforcement remedies. Given that our emphasis is on compliance for privacy officers, we don’t propose to review those in detail in this bulletin. However, (a) the penalties that can be imposed by the Data Tribunal, and (b) the slightly extended list of offences for which fines may be applied, helpfully set out a guide as to which features of an organization’s privacy compliance program will likely be the focus of enforcement, and should therefore be revisited by privacy officers with a view to strengthening those aspects of their privacy programs.
a. Hot Button Issues: As Indicated by Tribunal Penalties
After completing an inquiry where the Commissioner finds that an organization has contravened certain provisions, the Commissioner has the power make a recommendation to the Data Tribunal that a penalty be imposed on the organization, where the maximum penalty for all the contraventions in a recommendation taken together is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. These provisions triggering these potential penalties are as follows.
i. Section 13: Limiting collection to what is necessary for the purposes.
ii. Subsection 14(1): New purpose requires new consent.
iii. Subsection 15(5): Consent re provision of product or service: no collection, use or disclosure of personal information beyond what is necessary to provide the product or service.
iv. Section 16: No consent obtained by deceptive or misleading practices.
Commentary: The first three sections above focus on the ordinary course use of consent in connection with collection, use and disclosure, and Section 13 and 15(5) require an assessment as to what is “necessary” – which could be subject to interpretation. Privacy officers should re-review their consent process against this checklist of consent compliance requirements.
v. Section 53 (Limited period for retention and disposal): An organization must not retain personal information for a period longer than necessary to (a) fulfil the purposes for which the information was collected, used or disclosed; or (b) comply with the requirements of this Act, of federal or provincial law or of the reasonable terms of a contract. The organization must dispose of the information as soon as feasible after that period.
Commentary: Again, this should prod privacy officer’s to re-examine their record retention policies. One particular feature of interest is the reference to “the reasonable terms of a contract”, which suggests that an individual or organization could contractually agree to maintain the personal information for longer that is required for the purposes: if contracting parties can contract out of the application of this basic principle, this could lead to results which would be contrary to the intention of the Act. For this reason, the scope of the term “reasonable” will be very important.
vi. Subsections 55(1) (Disposal at individual’s request) and (3)) (Disposal of transferred personal information
Commentary: We have addressed the impact of this new “Right to be Forgotten” above.
vii. Subsection 57(1) (Security safeguards): (1) An organization must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information.
Commentary: These security requirements already exist under PIPEDA. However, the potential for significant fines is problematic given how amorphous the requirement is. Privacy officers are faced by the prospect of having to assess what safeguards are sufficient to meet this standard, in order to avoid the penalties.
viii. Subsections 58(1) (Report to Commissioner) and (3) (Notification to Individual) regarding any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
Commentary: While the obligation is not new, attaching the potential for significant fines is potentially very problematic, given that standard for reporting to the Commissioner and reporting to the individual is inherently subject to interpretation: witness the terms “reasonable in the circumstances”, “real risk”, and “significant harm”. This will make it even more important for organizations suffering a privacy breach to conduct a careful assessment of whether this test is met, and to document their analysis. Given the new potential for fines, it would be prudent to engage an independent third party counsel or advisor to assist with this assessment. This will also likely “put a thumb on the scale” in favour of reporting and notification in more marginal cases.
Factors to Consider in Making a Recommendation
Privacy officers should also note that while the fines are equivalent to those set out in the GDPR, the contextual factors that the Commissioner must consider in making a recommendation to the Data Tribunal for the imposition of a penalty are significantly shorter than those of the GDPR. More specifically, under the Act the Commissioner must take into account only: (a) the nature and scope of the contravention; (b) whether the organization has voluntarily paid compensation to a person affected by the contravention; (c) the organization’s history of compliance with this Act; and (d) any other relevant factor.
Compare that the requirement in the GDPR that in considering the application of any administrative fine, in each case “due regard” is required to be given to the following extensive list of factors: the nature, gravity and duration of the infringement, taking into account the nature scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them (arguably the same as the Act’s factor “the nature and scope of the contravention”); (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects (contrast with the much more limited factor in the new Act of “whether the organization has voluntarily paid compensation”); (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them; (e) any relevant previous infringements by the controller or processor (similar to “organization’s history of compliance” under the Act); (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (f) the categories of personal data affected by the infringement; (g) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (h) where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (i) adherence to approved codes of conduct or approved certification mechanisms under the GDPR; and (j) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
We prefer the GDPR approach which expressly requires a much more fair, reasonable and detailed examination of the factors of each breach, which is proportionate and appropriate given the potentially very significant fine. However, privacy officers should look to these factors in any case in assessing the risk of any breach of these “hot button” provisions of the Act.
b. Hot Button Issues: As Indicated by New Offences
But we’re not finished yet: the new proposed Act also lengthens the list of potential offences under the Act, for which against substantial fines may be applied: for an indictable offence, a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced; and for a summary conviction offence, a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced.
PIPEDA limits this to a reasonably short list of relatively straightforward offences: failure to retain information which is subject to a request; failing to report to the Commissioner any breach of security safeguards, or to keep/maintain a record of each such breach; dismissing, suspending, demoting, disciplining, harassing or otherwise disadvantaging a PIPEDA whistleblower, or obstructing the Commission in their conduct of an audit or investigation.
Under the new Act, this has been expanded to also include a breach of the following obligations as potential offences:
i. a knowing breach of the obligation to not only report to the Commissioner, but also to notify the individual, as well as now all of the provisions regarding such reporting and notification, rather than simply the requirement to make the report: that means that any breach of the ancillary provisions regarding the relatively less priority requirements of timing, form, manner and content of such report and notice, as well as the definition of, and list of relevant factors to determine, significant harm;
ii. knowingly breaches a Commissioner Compliance Order).
Commentary: the expanded scope of the offence is now another reason for privacy officers to re-asses their privacy breach reporting and notification process.
While it is true that much of the Act is just PIPEDA revisited, the combination of certain new obligations, together with an enforcement mechanism that targets certain compliance requirements of being of particular interest, provides a strong incentive for privacy officers to take a good look at their existing privacy compliance framework with a view to giving it a targeted refresh. The potential financial exposure of their organizations if they not, should given them the internal traction to do so.