If you’re a business that hasn’t dotted the i’s in privacy compliance, then you may have your own Buzz Lightyear—“this is an intergalactic emergency”—moment.
Both the Feds and Ontario have proposed new privacy legislation: the Feds introduced the Consumer Privacy Protection Act (“CPPA”) and Ontario countered with a white paper entitled “Modernizing Privacy in Ontario” (the “Ontario Proposal”). Both seek to impose massive fines for non-compliance. Importantly, neither are law right now.
The CPPA aims to repeal PIPEDA and introduce new rights, such as the Right to be Forgotten, and strengthen already existing rights. In contrast, the Ontario Proposal arose as a response to criticisms of the CPPA along with Ontario’s desire for a “made in Ontario” approach.
Both the CPPA and Ontario Proposal feature Administrative Fines and Statutory Offences with few differences between them.
Administrative fines
Both provide that if an organization violates the Act (for example, by failing to limit collection, obtain consent, dispose of personal information, or secure it properly), the organization could receive a max. fine of $10,000,000 or 3% of gross global revenue, whichever is greater.
But the Ontario Proposal offers a lighter touch by distinguishing an organization (such as a corporation) from an organization that is an individual. Ontario proposes to limit the maximum liability of the individual to $50,000.
Statutory offences
Both have similar statutory offences that capture conduct where an organization knowingly:
- failed to report a breach to the Commissioner;
- failed to maintain a record of every breach to PI;
- failed to retain information subject to an inquiry;
- failed to abide by a compliance order;
- re-identified de-identified personal information;
- sought retribution against a whistleblower; and
- obstructed the Commissioner or his or her delegate(s) in the investigation of a complaint or an audit.
However, the CPPA goes a tad farther and also prohibits conduct where an organization knowingly gave an insufficient report to the Commissioner and failed to notify individuals of certain breaches to their PI (or gave insufficient notice).
Both provide a maximum fine to an organization of $25,000,000 or 5% of gross global revenue, whichever is greater.
It’s still too early to know what will eventually become law. Just know that harsh fines and offences are coming and will be here to stay. Although the proposed fines will not levy “infinite” penalties as the title suggests, the penalties certainly will seem infinite when you compare them to the penalties imposed by previous privacy laws.
If you’re interested further, please check out our other blog posts about the proposed federal privacy law:
- “A new Privacy Commissioner may be coming to town” written by Michael Weinberger and Savvas Daginis; and,
- “Major update to Canadian privacy legislation in the works… What does this mean for class actions?” written by Stefani Cuberovic.
Whether data collection, storage, and use are ancillary to your business, the Siskinds’ Data Protection, Cybersecurity, & Privacy Law Practice Group is ready to help minimize your enterprise risk by ensuring your business complies with privacy law. Should you have any questions, please don’t hesitate to contact Peter Dillon at peter.dillon@siskinds.com or Savvas Daginis at savvas.daginis@siskinds.com.