What a Data Breach Could Soon Cost You

Posted on: December 1, 2020

Let’s skip to the bottom line, because it’s a shocker: the higher of $25 M or 5% of gross revenue. Yes, folks that is the potential fine for any of several offenses under a new bill currently making its way through the Canadian legislative process. (In second reading at the time of writing.)

Minister of Innovation, Science and Industry, Navdeep Bains, introduced Bill C-11 earlier this month. Officially called “An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts,” (whew!) it is intended to put big shark teeth into Canada’s privacy protection laws.

In a nutshell, it enacts the Consumer Privacy Protection Act; enacts the Personal Information and Data Protection Tribunal Act, and amends what will now be called the Electronic Documents Act. To strengthen and ensure consistency with myriad other laws, it also makes related changes to nine other acts. (List below.)

The Personal Information and Data Protection Tribunal Act establishes an administrative body to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and it allows penalties for the contravention of certain provisions of that Act.

Of note, the tribunal is “not bound by any legal or technical rules of evidence and must deal with all matters as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit.” The hearings and decisions will be public, with few exceptions. The takeaway here is that even if you don’t get a huge fine, your blunder and its consequences will be very public.

A few other highlights:

  • The Act prescribes reporting requirements (to the Commissioner and individuals) for any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, and it provides guidance on defining “significant harm.”
  • It requires organizations to maintain a record of every breach of security safeguards involving personal information under its control.
  • It prohibits the deletion of information that is the subject of a request by an individual.
  • It prohibits re-compiling of information to identify an individual.
  • It protects whistleblowers and those who comply with the law against the wishes of an employer or refuse to take a non-compliant action.
  • It allows the Privacy Commissioner to order organizations to:

(a) take measures to comply with the Act;

(b) stop doing something that is in contravention of the Act;

(c) comply with the terms of a compliance agreement that has been entered into by the organization; or

(d) make public any measures taken or proposed to be taken to correct the policies, practices, or procedures that the organization has put in place to fulfill its obligations under the Act.

Here’s the potentially costly bit: every organization that knowingly contravenes key sections of the legislation, an order from the Commissioner, or that obstructs the investigation of a complaint, an inquiry, or an audit can be fined up to the higher of $25 M or 5% of gross revenue.

So, if the only privacy policy you have is the one we put on your website; or if you don’t really know if your company’s data safeguards are being adhered to, or are perhaps insufficient, now is the time to get on it.

Here are links to Canada’s Privacy Act and BC’s Freedom of Information and Protection of Privacy Act.

For those interested, here are the Acts being amended:

  • Access to Information Act
  • Aeronautics Act
  • Canada Evidence Act
  • Canadian Radio-television and Telecommunications Commission Act
  • Competition Act
  • Canada Business Corporations Act
  • Public Servants Disclosure Protection Act
  • Chapter 23 of the Statutes of Canada, 2010
  • Transportation Modernization Act