Industry Committee on Oct. 17th, 2023

I'll turn to my colleagues for more on this.

I think the fundamental recognition is that there are a number of elements of the privacy law that will require organizations to contemplate the privacy impacts of their actions, and there are a number of recourse mechanisms should they not.

I'll turn to my colleagues.

I'll start, and then Runa can answer.

The answer is yes, in the sense that it will inform all privacy-related actions. It's actually broader than a privacy impact assessment, in the sense that all companies will be required to have a privacy management program for their use of personal information, which gets at all of the elements that were noted. In fact, in the case of small and medium-sized enterprises, we require the Office of the Privacy Commissioner to work for a certification that SMEs can live up to with respect to their PMPs.

They're a little bit different, and there are a number of functions that are important.

I'll start with the CPPA, and then I'll turn to AIDA. My colleagues will kick me under the table and join in if I get some of these elements wrong.

Under the CPPA, part of this bill fundamentally creates a robust enforcement regime that has a number of tools in the tool box related to how privacy infractions will be contemplated. One of the ones that are not a penalty per se is the order-making power that's granted to the Office of the Privacy Commissioner, which is an extraordinary power that allows the Office of the Privacy Commissioner and the Privacy Commissioner to order a firm to alter its privacy practices, including potentially the cessation of the collection, use or disclosure of personal information of Canadians.

Subsequently, though, there's also the capacity for the Privacy Commissioner to make a recommendation about administrative monetary penalties for violations of the law. He or she would make that recommendation to the new tribunal that's created in part 2, and the tribunal has the capacity to issue administrative monetary penalties that are the strongest in the world. Those penalties are a function of a maximum amount as well as a percentage of overall global revenue.

I'm going to turn to Samir to remind me of the specific numbers related to both of those.

Yes, I'm happy to do that.

With respect to the CPPA, currently in the drafting, the Privacy Commissioner would have the ability to recommend administrative monetary penalties up to $10 million or 3% of global revenue, whichever is higher. The act also specifies a number of specific offences for egregious contraventions of the act, which carry higher penalties of up to $25 million or 5% of global revenues, whichever is higher. Some of the examples of an egregious offence would be an organization that disobeyed an order directly, an organization that obstructed investigation, an organization that retaliated or attempted to retaliate against a whistle-blower or one that did not inform the commissioner of a breach of privacy.

Thank you, Mr. Chair. I appreciate the question.

I think we tried to set an administrative monetary penalty limit that is and would be considered deeply meaningful. The 3% of global revenue—that is not 3% of global profit, but 3% of global revenue—we believe to be meaningful for even the largest of actors.

Moreover, the order-making power that is afforded to the Office of the Privacy Commissioner is such that should there be an ongoing violation of the CPPA insofar as a company has been ordered by the tribunal to pay but continues the privacy infraction practices, we have the capacity to shut down the intake and the continued usage of the personal information via the powers we have afforded to the Office of the Privacy Commissioner. I think that's deeply meaningful.

Go ahead, Samir.

I'll just add to Mark's point that the administrative monetary penalties and the offence penalties I just identified would be the highest in the world, so I think we see them as very significant and meaningful potential financial hurdles.

Thank you for your question.

The short answer is yes. That is actually a new right that has been provided for in the consumer privacy protection act. It's very much in line with the EU's GDPR.

Yes. Bill C‑27 also establishes a private right of action.

Obviously, regulatory recourse is available, going through the commissioner and so forth, but there are ways to initiate legal action against private organizations.