The CPPA's Privacy Law Enforcement Regime

• Published date: 28 January 2021
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: McCarthy Tétrault LLP
• Author: TechLex Blog, Barry B. Sookman, Gillian P. Kerr, Pippa Leslie, Daanish Pasricha and Nikiforos Iatrou

The recently-proposed Consumer Privacy Protection Act ("CPPA" or the "Act") sets out a new enforcement regime that, if passed in its current form, will dramatically affect how Canada's federal privacy laws will be enforced. The amendments include significant new enforcement powers for the Office of the Privacy Commissioner of Canada (the "Commissioner"), and significant penalties for privacy law violations. They would also establish a new Federal tribunal, the Personal Information and Data Protection Tribunal (the "Tribunal"), and open the door to private rights of action and potentially class proceedings for violations of the CPPA. From hefty fines to expanded rights of private action, here is what your organization needs to know in order to navigate the CPPA's proposed enforcement regime.

NEW POWERS AND MONETARY FINES

The array of new remedial powers under the CPPA is a significant change from the status quo. Notably, the proposed Act ushers in new order-making powers for the Commissioner, and introduces the Tribunal, which will be dedicated to adjudicating privacy disputes. The Tribunal can impose significant penalties for CPPA violations and hear appeals from findings and orders made by the Commissioner.

The Commissioner & the Tribunal's Powers

Under the current legislation - the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Commissioner cannot impose fines or make orders. Rather, the Commissioner may investigate potential breaches of PIPEDA and, where it believes a violation has occurred, it can issue findings, express an opinion as to whether a complaint was well founded and whether the complaint was resolved, and make recommendations. Fines and other non-monetary orders are currently available under PIPEDA - the Commissioner or the complainant can only obtain such relief by bringing an application in the Federal Court. On a plain reading of the legislation under the current regime, class action proceedings cannot be brought as part of a PIPEDA application to the Federal Court.

In a departure from PIPEDA, under the CPPA, the Commissioner will not only be able to investigate alleged privacy breaches, it will also be able to prosecute violators and adjudicate whether the Act has been breached. The Commissioner can make "any interim order that the Commissioner considers appropriate". It can also, among other things, make binding compliance orders to require organizations to take measures to comply with the Act and to stop doing something that is in contravention of the Act.

Under the CPPA, the Commissioner can also recommend if a penalty should be imposed by the Tribunal. The factors the Commissioner must take into account are the nature and scope of the contravention; whether the organization has voluntarily paid compensation to a person affected by the contravention; the organization's history of compliance with the Act; and any other relevant factor. The Act does not state whether the Commissioner has the right to also recommend the quantum of penalty to be imposed. However, since the factors the Commissioner is required to take into account in deciding whether to recommend a penalty do not include the organization's ability to pay, it may be inferred the Commissioner does not have this...