The CPPA’s Privacy Law Enforcement Regime
The recently-proposed Consumer Privacy Protection Act (“CPPA” or the “Act”) sets out a new enforcement regime that, if passed in its current form, will dramatically affect how Canada’s federal privacy laws will be enforced. The amendments include significant new enforcement powers for the Office of the Privacy Commissioner of Canada (the “Commissioner”), and significant penalties for privacy law violations. They would also establish a new Federal tribunal, the Personal Information and Data Protection Tribunal (the “Tribunal”), and open the door to private rights of action and potentially class proceedings for violations of the CPPA. From hefty fines to expanded rights of private action, here is what your organization needs to know in order to navigate the CPPA’s proposed enforcement regime.
NEW POWERS AND MONETARY FINES
The array of new remedial powers under the CPPA is a significant change from the status quo. Notably, the proposed Act ushers in new order-making powers for the Commissioner, and introduces the Tribunal, which will be dedicated to adjudicating privacy disputes. The Tribunal can impose significant penalties for CPPA violations and hear appeals from findings and orders made by the Commissioner.
The Commissioner & the Tribunal’s Powers
Under the current legislation – the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Commissioner cannot impose fines or make orders. Rather, the Commissioner may investigate potential breaches of PIPEDA and, where it believes a violation has occurred, it can issue findings, express an opinion as to whether a complaint was well founded and whether the complaint was resolved, and make recommendations. Fines and other non-monetary orders are currently available under PIPEDA - the Commissioner or the complainant can only obtain such relief by bringing an application in the Federal Court. On a plain reading of the legislation under the current regime, class action proceedings cannot be brought as part of a PIPEDA application to the Federal Court.
In a departure from PIPEDA, under the CPPA, the Commissioner will not only be able to investigate alleged privacy breaches, it will also be able to prosecute violators and adjudicate whether the Act has been breached. The Commissioner can make “any interim order that the Commissioner considers appropriate”. It can also, among other things, make binding compliance orders to require organizations to take measures to comply with the Act and to stop doing something that is in contravention of the Act.
Under the CPPA, the Commissioner can also recommend if a penalty should be imposed by the Tribunal. The factors the Commissioner must take into account are the nature and scope of the contravention; whether the organization has voluntarily paid compensation to a person affected by the contravention; the organization’s history of compliance with the Act; and any other relevant factor. The Act does not state whether the Commissioner has the right to also recommend the quantum of penalty to be imposed. However, since the factors the Commissioner is required to take into account in deciding whether to recommend a penalty do not include the organization’s ability to pay, it may be inferred the Commissioner does not have this right. This point should be clarified in the Bill.
The Commissioner’s reports can also be used as a basis for private rights of action, as discussed below.
The CPPA stipulates that the purpose of a penalty is to promote compliance with the provisions of the CPPA and not to punish an organization. However, it may be argued that the penalties are so high that they are actually punitive. Certain contraventions of the Act can attract penalties of up to the greater of $10 million or 3% of an organization’s gross global annual revenue. For comparison purposes, the European Union’s General Data Protection Regulation (“GDPR”) and Quebec’s proposed Bill 64 provide for a fine of up to the greater of $10 million or 2% of an organization’s global annual revenue. If these levels of penalties are not reduced before passage, they might be challenged later as being criminal in nature thereby requiring criminal due process and protection.
In limited circumstances, such as where an organization knowingly fails to report a breach of security safeguards involving personal information under its control, knowingly fails to maintain records of breach of security safeguards, unlawfully attempts to re-identify de-identified information or seeks to obstruct an investigation, even more serious fines of up to the greater of $25 million or 5% of an organization’s gross global annual revenue may apply. However, these contraventions constitute punishable offences that requires prosecution in a court and are therefore outside the powers of the Tribunal. Regardless of jurisdiction, this is a massive increase from the penal sanctions under PIPEDA which had fines only up to $100,000. The GDPR and Quebec Bill 64 also provide penal fines for more serious infringements, but cap the global annual revenue at 4%.
The CPPA provides organizations with an express due diligence defence applicable to the imposition of penalties by the Tribunal. This defense is not expressly available as a defence to other remedies under the CPPA. Further, it remains to be seen whether the same due diligence defence would be available for punishable offences under the CPPA.
Lack of Procedural Protection Guarantees
Despite the significant new powers of the Commissioner to make orders and recommend substantial penalties, the CPPA provides only scant procedural protections. The Commissioner “is not bound by any legal or technical rules of evidence in conducting an inquiry”. It also “must deal with the matter as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit”. The Commissioner must “give the organization and the complainant an opportunity to be heard and to be assisted or represented by counsel or by any person”, but the Commissioner has discretion to “determine the procedure to be followed in the conduct of an inquiry”. There is no guarantee that these processes will align with generally accepted procedures that would be available in court proceeding where organizations could be subject to such high levels of risk. While there are appeals from orders and penalty recommendations made by the Commissioner to the Tribunal, the limited grounds of appeal (summarized below) make the lack of express procedural protections before the Commissioner even more concerning.
Further, it remains to be seen whether there will be an institutional separation between the investigative and the order-making bodies of the Commissioner’s office. There is nothing in the CPPA that requires any separation between the investigative and adjudicative arm of the OPC. The same branch or individuals investigating a complaint could be the same branch imposing orders or recommending monetary fines to the Tribunal. By comparison, under the Canadian Radio-television and Telecommunications Commission (CRTC), there are separate bodies for conducting investigations and adjudicating the findings of those investigations. Arguably, a lack of institutional division under the CPPA could create a reasonable apprehension of bias, which may leave the new Act vulnerable to legislative challenges before even coming into force.
The Tribunal’s Composition
The proposed function of the Tribunal is twofold. First, it can impose penalties. Second, it hears appeals from findings and orders, including interim orders made by the Commissioner.
With such significant remedial powers available to be exercised, it is important to understand the requirements for sitting on the Tribunal. Other Federal tribunals that have the power to impose significant monetary penalties are chaired by judges or senior lawyers. For example, the Competition Tribunal must be chaired by a Federal Court judge, and other members must be knowledgeable in economics, commerce or public affairs. In practice, Competition Tribunal hearings are typically presided over by two Federal Court judges and a lay member. Other Federal tribunals similarly require subject-matter expertise, but also require that the chairs of the tribunal be lawyers or notaries who have practiced for over ten years (the Canada Agricultural Review Tribunal is one such example). Not so with the Tribunal. At present, it is contemplated that the Tribunal will consist of three to six members appointed by the Governor in Council on the recommendation of the Minister of Innovation, Science and Industry. However, only one of the members is required to have “experience” in the field of information and privacy law, and there is no requirement for that person or any other member to otherwise have a legal or judicial background.
Appeals and Judicial Reviews
The Tribunal plays an important role in hearing appeals from findings and orders made by the Commissioner and in deciding what penalties, if any, should be imposed on organizations. However, the Tribunal’s ability to overturn the Commissioner’s findings and orders, and to depart from the Commissioner’s recommendations to impose a penalty may prove difficult.
As noted above, the Commissioner cannot directly impose monetary penalties against organizations. It can only make a recommendation. The Tribunal has the sole authority to determine the quantum of penalties. In making this determination the “Tribunal must rely on the findings… [of] the Commissioner” “or on the Tribunal’s own findings if, on appeal, it substitutes its own findings for those of the Commissioner”.
Although the CPPA is ambiguous on this, it is possible that the CPPA gives the Tribunal only a very limited basis to substitute its own views for those of the Commissioner as to whether to impose a penalty. The Tribunal is constituted to hear appeals of the Commissioner’s findings, orders or decisions to recommend whether a penalty be imposed on the organization. The standard of review for any appeal to the Tribunal “is correctness for questions of law and palpable and overriding error for questions of fact or questions of mixed law and fact”. If this applies to whether penalties should be imposed, then the recommendations of the Commissioner, which will likely often be very fact dependent, may be difficult to overturn. However, since the Commissioner does not appear to have the authority to recommend the quantum of the penalties to be imposed, this decision will be up to the Tribunal. However, its decisions may not be entirely discretionary since it must be deferential to the factual findings made by the Commissioner.
It may also be difficult to overturn orders made by the Commissioner. Interim orders can only be appealed with leave of the Tribunal. Further, all findings and orders made by the Commissioner must be given deference, given that the standard of review is correctness for questions of law and palpable and overriding error for questions of fact or questions of mixed law and fact.
Compounding all of these concerns is that there are also no guarantees of procedural protections on appeals. Like the Commissioner, the Tribunal is not bound by any legal or technical rules of evidence and it must deal with “all matters as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit”. The Tribunal has the power to adopt its own rules, with the approval of the Governor in Council, but these rules will have to be consistent with the CPPA, which may require them to meet the informality and expeditious (and fairness) standards for hearings in the CPPA.
Another concern with the Tribunal is that all of its findings and decisions are final and binding. Unlike other Federal legislation like the Competition Act or the Broadcasting Act, there is no right of appeal to a court, meaning that the only check on the Tribunal’s powers will come in the form of judicial review under s. 18 of the Federal Courts Act. As explained by the Supreme Court in Vavilov, the presumptive standard of reasonableness generally applies on an application for judicial review, except where the rule of law requires the application of the standard of correctness, such as constitutional questions and general questions of law, which may also include questions of law subject to concurrent first-instance jurisdiction based on pre-Vavilov jurisprudence. The implication is that it could be very difficult to overturn awards where the reasonableness standard is applied by the Federal Court on judicial review.
PRIVATE RIGHT OF ACTION
The CPPA also provides for a private right of action. However, this private right of action is not unfettered. It is only available where either the Commissioner has made a finding that an organization has contravened the CPPA (which, if appealed, is upheld by the Tribunal), the Tribunal has made its own finding that an organization contravened the Act, or where the organization has been convicted of one of the offenses that can lead to fines of up to $25 million or 5% of the organization’s annual global revenues. These gate-keeping mechanisms may help to limit the number of frivolous cases being brought to court.
On the other hand, the CPPA could be interpreted to potentially broaden the range of plaintiffs permitted to bring individual privacy law actions. Previously under PIPEDA, only the Commissioner or the complainant (i.e., the party that initially filed a complaint with the Commissioner) could apply to the Federal Court in pursuit of a remedy. In contrast, the CPPA expressly provides for any individual “affected by” an organization’s contravention of the Act to apply for relief before a court. This could potentially have a significant impact on the number of overall plaintiffs in a putative privacy law dispute, as well as potentially pave the way for class actions predicated on a private cause of action under the Act.
The CPPA is also broader than its predecessor when it comes to venue. PIPEDA only provided individuals the right to a hearing by way of application before the Federal Court, which is a statutory court that is not meant to hear common law claims. Under the CPPA, individuals who have standing to bring a private right of action will be able to commence an action either in the Federal Court or a Superior Court of a province. This has significant implications. On the one hand, this may increase access to justice, providing applicants with various avenues to have their disputes adjudicated. On the other hand, private actions under the CPPA could become increasingly complex, expensive, and time consuming. In Tucci v. Peoples Trust Company, 2020 BCCA 246, the British Columbia Court of Appeal held that common law actions for privacy breaches were not excluded by PIPEDA. The CPPA is silent on this, leaving the door potentially open for common law and civil law actions to be brought alongside the CPPA private right of action. If Parliament is seeking to only permit claims to be brought based on adverse findings by the Commissioner under the CPPA, then arguably this should be clarified. The CPPA also does not address the weight, if any, to be given to the findings of the Commissioner or the Tribunal in any such proceedings (in contrast, private rights of action under PIPEDA are to be heard de novo at the Federal Court), or how an organization can avoid being subject to multiple penalties under federal and provincial laws and proceedings damages for common law and civil law claims.
For more analysis on the new Bill and its changes, please visit TechLex for the latest blogs by McCarthy Tétrault.
To follow further updates on this new Bill, subscribe to TechLex (below) or contact our Cyber/Data Group for assistance on navigating this complex new regime.