• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / New anti-spam legislation could bolster Canadian privacy commissioner’s call for greater PIPEDA enforcement powers

By Occasional Contributors | 3 Minutes Read March 26, 2014

New anti-spam legislation could bolster Canadian privacy commissioner’s call for greater PIPEDA enforcement powers

Image: fightspam.gc.ca

Canada’s new anti-spam legislation (“CASL”) comes into effect later this year, and it packs a punch—fines of up to $10 million per violation for companies and up to $1 million per violation for individuals. The government was clearly prepared to give regulators substantial teeth to both encourage compliance and punish non-compliance.
It is interesting to compare this approach to Canada’s federal private-sector privacy legislation. The Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came into force in 2004, gives the federal privacy commissioner broad investigative powers but no direct enforcement powers. In particular, PIPEDA does not contemplate fines – so even massive and preventable privacy breaches have lesser potential consequences than they might elsewhere.
Contrast this with the United Kingdom’s Data Protection Act. The UK Information Commissioner’s Office (“ICO”) can impose monetary penalties if it is satisfied that there has been a serious contravention of the legislation likely to cause “substantial damage or substantial distress”, and the contravention was deliberate or the responsible party knew or ought to have known that there was a risk that the contravention would occur and that it would likely cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
When Sony’s Playstation Network was hacked in 2011, over 24 million user accounts were accessed worldwide. The UK ICO’s investigation concluded that the attack could have been prevented if software had been up to date, and that technical developments meant the passwords were not secure. The ICO concluded that Sony had not taken appropriate technical measures against unauthorized or unlawful processing of personal data, and did not ensure a level of security appropriate to the harm that might result from such unauthorized or unlawful processing and the nature of the personal data in question. The ICO therefore imposed a £250,000 penalty on Sony Europe for this breach. Sony recently dropped its appeal of this decision and fine (although it maintains that it disagrees with both, and that it is dropping the appeal only because it does not want to reveal details of its network security practices in the appeal proceeding).
Although the Sony breach affected many Canadians as well, the Canadian privacy commissioner did not have a similar stick to hold over Sony’s head—and the privacy commissioner’s office has begun to speak out against this state of affairs. Shortly after the Sony breach, our privacy commissioner called for the ability to impose “significant, attention-getting fines” on companies whose poor privacy and security practices lead to breaches. And the commissioner’s May 2013 written submission to Parliament was blunt:

The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data.”

Although some proposed changes to PIPEDA are underway, on the enforcement side they are limited to mandatory breach disclosure and do not contemplate fines. However, given the substantial fines (or “administrative monetary penalties”, as they are called) available under the new anti-spam legislation, one wonders whether there might be an appetite for stronger enforcement and deterrence powers under PIPEDA as well. After all, a significant privacy breach is arguably more harmful than distributing unwanted commercial emails, and it is not clear why there has been greater effort to discourage the latter than the former. (Though, to be fair, the anti-spam legislation also prohibits various activities relating to malware, spyware, phishing and pharming, all of which can cause significant harm.) For now, we will have to wait and see whether the anti-spam enforcement powers lead to stronger tools for addressing and deterring privacy breaches under PIPEDA—or whether the commissioner is left with, in her words, “soft recommendations with few consequences”.
If you have any questions about this post or if you would like further information about these matters, please contact the authors or any of the members of Davis LLP’s Privacy & Access to Information Group.
David Spratley
Davis LLP Privacy & Access to Information Bulletin
Republished with permission from Davis LLP

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Not for Profit, Privacy / administrative monetary penalties, anti-spam enforcement powers, anti-spam legislation, commercial emails, Data Protection Act, enforcement powers, Financial incentives, investigative powers, malware, mandatory breach disclosure, ony’s Playstation Network, passwords were not secure, Personal Information Protection and Electronic Documents Act, pharming, phishing, PIPEDA, privacy breaches, privacy risks, private sector privacy legislation, processing of personal data, protecting personal information in the age of Big Data, spyware, technical developments

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy