Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020. It proposes the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the second of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses how the enforcement powers and penalties proposed by the Bill would work and what it means for businesses.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
The CPPA would provide for proceedings before a tribunal (“Tribunal”) that would act as an appeal body from findings and recommendations made by the Office of the Privacy Commissioner of Canada (“OPC”). This is an entirely new addition to the federal privacy regime – currently no Tribunal exists. The Tribunal would be established by companion legislation to the CPPA, the Personal Information and Data Protection Tribunal Act (“PIDPTA”), which is also introduced by Bill C-11.
These structural changes are some of the most significant changes to the privacy landscape that would occur, as they are accompanied by powers to make orders requiring compliance with the CPPA and to impose significant fines.
I. New OPC Enforcement Powers
The new OPC enforcement powers are a marked addition to the OPC’s current powers, as the OPC may not currently make orders directing compliance and has no ability to impose or recommend monetary penalties. By contrast, under the CPPA, the OPC would have the following enforcement powers:
Investigations: Similar to the current requirements under PIPEDA, under the proposed CPPA, the OPC would be required to carry out an investigation in respect of a complaint filed by an individual under s. 82, except in certain circumstances. These exceptions include where the OPC is of the opinion that there is another procedure provided for under law that is preferable, where the complainant should first exhaust grievance or review procedures, and where too much time has elapsed.
Under the CPPA, the OPC would also have the ability to decline to investigate a complaint on the basis that complaint raises an issue in respect of which an OPC-approved certification program applies (the ability to approve certification programs is new under the CPPA and will be dealt with in a separate post). This is discretionary – the OPC may still elect to conduct an investigation notwithstanding the organization’s participation in a certification program.
The goal of the investigation process is to resolve the complaint (generally via alternative dispute resolution mechanisms such as mediation and conciliation, as in PIPEDA).
Inquiries: Inquiries are a new process under CPPA. Under s. 88 of the CPPA, the OPC may conduct an inquiry if the matter is not resolved, discontinued or diverted to alternative dispute resolution at investigation. For unresolved matters, this essentially gives the OPC a second kick at the can (to investigate an organization further). The OPC’s power to start an inquiry is discretionary.
This is an important development. Previously, where an organization did not agree with the OPC’s findings or recommendations, or declined to implement the OPC’s recommendations, the organization was left with little recourse to challenge such a recommendation. Typically, the issue would remain unresolved and the OPC would note publicly that the organization declined to implement its recommendations and/or did not cooperate. The OPC was thereby able to achieve a negative reputational impact on the organization. The organization had little choice but to accept this, as there was no avenue for appeal since the OPC’s findings and recommendations – irrespective of how unreasonable they might be – were non-binding and therefore not capable of appeal. Judicial review was a possibility, but the chances of success were small for all but the most egregious circumstances.
Under the CPPA, unresolved complaints would go to an inquiry phase. The OPC has broad powers in respect of an inquiry: it is not bound by any rules of evidence in conducting an inquiry (with the exception of privilege related rules). The OPC may also determine the procedure to be followed in the inquiry. However, the language of the section references “considerations of fairness and natural justice”, which are not referenced at the investigation stage. The OPC must also give the complainant and the organization an opportunity to be heard and to be assisted or represented by counsel or other person, rights not explicitly available at the investigation stage.
Decisions and Compliance Orders: The most important expansions of the OPC’s enforcement powers are set out in ss. 92-93 of the CPPA. Under those provisions, the OPC may, after concluding an inquiry, issue a finding of contravention of the CPPA, and issue a compliance order. This direct order-making power is not currently available to the OPC.
In a compliance order, the OPC may order an organization to: (a) take measures to comply with the CPPA; (b) stop doing something that is contravention of the CPPA; (c) comply with the terms of a compliance agreement entered into by the organization; and (d) make public any measures taken or proposed to be taken to correct policies, practices or procedures in place to fulfill the organization’s obligations under the CPPA.
Compliance orders may be appealed to the Tribunal. If not, or if the appeal is dismissed by the Tribunal, the compliance order may be made an order of the Federal Court and is enforceable in the same manner.
Monetary Penalties: Under s. 93 of the CPPA, the OPC would be able to make a recommendation that a monetary penalty be imposed on the organization by the Tribunal, which is entity actually empowered to impose penalties after a hearing (see s. 94 discussed below]) In recommending the quantum of penalty, the OPC must take into account (a) the nature and scope of the contravention; (b) whether the organization has voluntarily paid compensation to a person affected by the contravention; (c) the organization’s history of compliance with the CPPA; and (d) any other relevant factor. This represents a significant new power for the OPC, which currently has no power to recommend a monetary penalty. However, even under the proposed CPPA, the power to actually impose a monetary penalty is restricted to the Tribunal, as discussed below.
As mentioned above, one of the factors that the OPC must consider is whether the organization has voluntarily paid compensation to affected persons. The qualifier “voluntarily” suggests the payment to a plaintiff in the context of litigation (including class actions) would be excluded; however, payments made pursuant to a settlement of such actions may well be considered “voluntary”. This consideration may become significant in the timing and mechanism of resolving class actions. Note, too, that the language refers to “compensation”, but does not specifically require “monetary compensation”; in kind compensation (such as offers of credit monitoring, etc.) would presumably be included. Finally, any such compensation must be to a person affected “by the violation”; it appears that compensation made to settle a negligence or misrepresentation claim pleaded in addition to a breach of privacy claim may not qualify.
Audits: As it can under PIPEDA, under s. 96 of the CPPA, the OPC may, on reasonable notice, audit an organization’s personal information management practices, if the OPC has reasonable grounds to believe that the organization has contravened the CPPA. Under s. 97, after an audit, the OPC must provide the organization with a report of its findings and recommendations. Importantly, this section specifically provides that these audit reports may be included in the OPC’s annual report and may therefore become public.
II. The Tribunal
The new Tribunal established under the PIDPTA would also play a significant role in enforcement – and would be a wholly new addition to the privacy enforcement regime. Once the OPC completes its inquiry and finds there to have been a violation of the CPPA, the OPC may recommend to the Tribunal that a penalty be imposed on the organization. The Tribunal would have the following powers and functions:
Imposing Penalties: The Tribunal may make an order imposing a penalty on an organization if: (a) the OPC files a copy of a decision in relation to the organization in accordance with the Bill, or the Tribunal, on appeal, substitutes its own decision to recommend that a penalty be imposed; (b) the organization and OPC are given the opportunity to make representations (suggesting some sort of adversarial process and hearing before the Tribunal); and (c) the Tribunal determines that imposing the penalty is appropriate.
The financial health of the organization plays a significant role in deciding whether a penalty should be imposed and how much it should be. In determining these issues, the Tribunal must consider: the OPC’s analysis, the organization’s ability to pay, the effect that paying the penalty will have on the organization’s ability to carry on its business, and any financial benefit that the organization obtained from the contravention.
As an added incentive for organizations to develop and implement robust privacy programs, the Tribunal is prohibited from imposing a penalty if the organization establishes that it exercised due diligence to prevent any contravention with the CPPA. The onus here is on the organization to establish the due diligence defence.
Maximum Penalties: Under the proposed legislation, the Tribunal’s powers to impose penalties are significant. The maximum penalty for all the contraventions in a recommendation taken together is the higher of $10,000,000 and 3% of the organization’s gross global revenue in the prior financial year. Further, for offences that an organization has knowingly committed, the Tribunal can order fines up to the higher of $25,000,000 and 5% of the organization’s gross global revenue in the prior financial year. These penalties are the highest available penalties amongst all countries in the G7.
Hearing of Appeals: Under s. 100 of the CPPA, both complainants and organizations have a statutory right of appeal to the Tribunal in respect of orders of the OPC. The standard of review for an appeal is correctness for questions of law, and palpable and overriding error for questions of fact or mixed law and fact.
Decisions of the Tribunal are final and binding, except by judicial review under the Federal Courts Act – it is not subject to appeal or to review by any court. The panel itself will be comprised of 3-6 appointed members, with only one required to have experience in privacy law.
With respect to procedure before the Tribunal:
- No technical rules of evidence: The Tribunal is not bound by rules of evidence (except as concerns privilege) and mustdeal with all matters as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit.
- Standard of proof: In any proceeding before the Tribunal, the standard of proof that a party must discharge is on a balance of probabilities.
- Majority decision, with reasons: Decisions will be made by majority, and the Tribunal must provide a decision with reasons in writing to all parties to a proceeding.
- Public hearings: Hearings must be held in public. However, the Tribunal may choose to hold all or part of a hearing in private if it believes that the hearing would not be in the public interest or confidential information may be disclosed. In determining whether the confidential information in issue justifies a private hearing, the Tribunal will consider whether the desirability of ensuring that the information is not publicly disclosed outweighs the desirability of adhering to the principle that hearings be open to the public. This is contrast with the investigations and inquiries portion of the process, during which the OPC is required not to disclose information, subject to certain exceptions. This may well be a factor for organizations in deciding whether or not to drive the OPC to the Tribunal stage.
It is not yet clear how long this process will take, and whether a further jurisdiction review will make the process a lengthy one.
III. Statutory causes of action
The Bill would establish a new private right of action for individuals affected by an organization’s CPPA contravention. Under s. 106 of the CPPA, an individual affected by an act or omission that constitutes a contravention of the act can sue the organization for damages if: (a) the OPC has made a finding under s. 92(1) and the finding is not appealed or the Tribunal has dismissed an appeal; or the Tribunal has made a finding that the organization has contravened the CPPA. Importantly, this right is not limited to the original complainant, but “anyone affected”. This suggests multiple actions would be possible, along with class actions.
Other posts in the CPPA: In Depth series:
Part 1: CPPA: An in-depth look at the “service provider” provisions in Canada’s proposed new privacy law
Part 2: CPPA: An in-depth look at the enforcement and penalty provisions in Canada’s proposed new privacy law
Part 3: CPPA: An in-depth look at the codes of practice and certification program provisions in Canada’s proposed new privacy law
Part 4: CPPA: An in-depth look at the de-identification provisions in Canada’s proposed new privacy law
Part 5: CPPA: An in-depth look at the data mobility provisions in Canada’s proposed new privacy law
Part 6: CPPA: An in-depth look at the disposal provisions in Canada’s proposed new privacy law
Part 7: CPPA: An in-depth look at the consent provisions in Canada’s proposed new privacy law
Part 8: CPPA: An in-depth look at the access request provisions in Canada’s proposed new privacy law
Part 9: CPPA: An in-depth look at the private right of action provisions in Canada’s proposed new privacy law
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.