Our government recently proposed Bill C-11 to update Canada’s privacy laws, based on Canada’s Digital Charter. After all, why propose and pass a law that is not enforced?
There are 10 principles in Canada’s Digital Charter and the 10th is “Strong Enforcement and Real Accountability: There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.”
This article will review the proposed enforcement of the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act with a focus on ENFORCEMENT.
First let’s look at our government’s recent record when it comes to enforcement.
Our anti-spam law, the Canadian Anti Spam Legislation often referred to as CASL, as I will explain in detail, is relatively unenforced, despite having a private right of action written into it. This privacy law is designed to change how organizations use our personal data. CASL was designed to change how organizations use our email and other electronic messaging.
Canada does not have a lot of class action lawsuits embedded within our laws. So this idea is relatively new to Canadians, while being very familiar in the USA. In an effort to enforce the Canadian Anti Spam Legislation (CASL), the government of the day (Dec 2010) after much deliberation, included a private right of action into the law. While the CRTC had the lead in enforcement with the Competition Bureau and the Office of the Privacy Commissioner granted certain enforcement powers under CASL, the primary enforcement tool was always designed to be the private right of action – the public who were receiving the spam every day.
In simple terms, the PRA under CASL did not require an individual to prove damages. It limited damages to $200 per incident. At the end of the day, if an organization like Rogers Communications (or any organization sending emails to Canadians) sends you emails or text messages and cannot prove they have consent (implied or express) for doing so, you are entitled to $200 for every message you can prove they sent. Clearly for those who did not change their practices when the law came into force, this could get expensive. On the other hand, those who did come into compliance had nothing to worry about.
In my opinion, the business community is very afraid of private rights of action, as is evident in their actions. CASL was passed in 2010 and the parts of it came into force on July 1, 2014. From 2010 to 2014, mainly the large enterprise companies were working on CASL compliance. There was some confusion as to how it was going to be enforced so many organizations waited to see guidance from the enforcement bodies. There was a little more activity after the law came into force but the real compliance activity was from January 2017 – June 7, 2017, the 6 month period before the private right of action came into force (scheduled for July 1, 2017).
On June 7, 2017, after significant pressure from the business community, Minister Bains announced the “indefinite postponement” of the PRA. He cited concern over “the possibility of frivolous lawsuits”, which required “further study”. With our lack of experience with private rights of action here in Canada, nobody knew how Canadians would act, yet our government made an important enforcement decision based on “possibility” rather than “probability”. The fact is, we cannot study something that is conceptual. The only way to study the actions of Canadian citizens is to allow the PRA to come into force and monitor the facts very closely. Only then can we act intelligently, based on those facts.
The “indefinite postponement” of the primary enforcement tool put an immediate end to interest in CASL compliance. My firm helps companies implement compliance programs (spam and privacy) and we were busy from July 1, 2014, very busy Jan 2017 – June 7, 2017 (the six months before the PRA was scheduled to come into force) and we have not had a single CASL compliance engagement in the 3 1/2 years since! Not one. So in the past 3 years we have seen no meaningful interest from the business community in CASL compliance.
I have been saying for years, a business has a better chance of winning a lottery than being fined by the CRTC under CASL. The CRTC has done an exceptional job of being the lead enforcement body for CASL, but they are a single body with limited resources. During the 3 year “interim” stage of enforcing CASL they spent the first 18 months providing written guidance and fining a few high profile brands (a combination of undertakings and violations). The second 18 month period they focussed on negotiating Memos of Understandings (MOUs) with other countries so they could enforce CASL globally with clear co-operation for both investigations and collection of fines. Their actions make it clear to observers that they were setting the table for the private right of action – the public – to help enforce CASL in a meaningful way. Once the PRA – the public – started taking actions against corporate spammers, the CRTC could turn their attention to the malicious spammers – the ones causing real harmful damage to email users. There have been 7 enforcement actions – 5 undertakings and 2 violations since the “indefinite postponement” of the private right of action and 1 of them was already investigated and agreed upon before Minister Bain’s announcement (Mr. Ghasson Halazon, June 12, 2017 entered into an undertaking for a $10,000 fine). That is effectively 6 enforcement actions in 3 1/2 years. Can a small team, like the CRTC Enforcement Team, effectively enforce a law globally? Remember, businesses email and SMS text poor habits were very entrenched in companies worldwide and Canada was setting the highest bar for spam in the world. A very similar situation to privacy where businesses have developed poor habits.
Now, with that context, let’s examine the proposed enforcement strategy of Bill C-11. Again, in simple terms, with a clear list of what they can and cannot do, the Office of the Privacy Commissioner of Canada would be granted the power to investigate any complaints. They would then recommend a fine be given by the Tribunal of 3-6 people, 1 of whom must have privacy experience. Yes, 1. This is not a peer Tribunal. The Privacy Commissioner’s team is steeped in privacy experience when they investigate and recommend fines. The Tribunal will consist of “appointees” and 1 privacy professional. How can we expect them to understand complicated nuances that even privacy professionals often struggle with?
Now let’s look at the volume of investigations. We know from our CASL experience that a single body, whether it be the CRTC or the Office of the Privacy Commissioner can only conduct so many investigations and bring them to a fair conclusion. If I am reading this proposal correctly, the Commissioner does not have the option of entering into undertakings – negotiated settlements – like they do under CASL. The point is, assuming most investigations will take at least 12 months, their limited staff will only be able to properly conduct a limited number of investigations. Are we back to the “odds of winning a lottery” regarding the chances of being fined under the CPPA?
The proposed Bill C-11 includes a very limited private right of action. I say very limited because of 2 key factors. First, it is not truly open to the public. An individual can participate in a PRA only if the Office of the Privacy Commissioner AND the Tribunal find the company in question guilty AND any appeals and counter appeals have been dealt with. Only then can a class action lawsuit be launched. And unlike the PRA under CASL, this proposed “faux-PRA” requires each individual participant to prove losses or damages as a result of the company’s actions, which any lawyer can tell you will be very difficult to do.
With this in mind, I have a few questions:
- Does Canada’s Digital Charter principle (promise) of “Strong Enforcement and Real Accountability: There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.” appear either possible or probable?
- Does this proposed enforcement plan sound like it will hold business accountable for respecting individual’s privacy, in a manner that will make a difference to the average Canadian citizen?
- Do you feel confident that “Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.” (the 3rd principle of the Digital Charter)
- Without strong and meaningful enforcement will organizations follow these new regulations or do you believe they will simply carry on doing what they currently do with our personal information? Will anything change as a result of this legislation?
- Principle 7 of the Digital Charter says “Data and Digital for Good: The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people—at home and around the world.” Is this possible or probable without strong and meaningful enforcement?
- Will you, as stated in principle #2 of the Digital Charter, “be able to rely on the integrity, authenticity and security of the services they use and should feel safe online.”?
Bill C-11 received a second reading in the House this past week. Left unchallenged it could pass. If you are concerned, as I am, please reach out to your MP or go direct to:
Navdeep Bains – Minister of Innovation Science and Economic Development – Email navdeep@navdeepbains.ca
James Cumming, MP – Co-Chair of the INDU Committee and Shadow Minister for Innovation, Science and Economic Development – Email: james.cumming@parl.gc.ca
David Sweet, MP – Chair of the ETHI Committee, Email: dsweetmp@gmail.com
Let them know your specific concerns and help provide the tools for them to challenge parts of this proposed bill and put some real teeth in the law. Tell them it matters to you and enforcement must be stronger than a political soundbite (“the highest fines in the G7 community”). If only 6 fines happen in a 3 1/2 years period will the size of the fines matter? Or will the number of fines be the important factor?