The headlines about the new proposed federal privacy law, the Consumer Privacy Protection Act (“CPPA”), frequently focus on the extremely high penalties and fines for non-compliance. But, these headline miss by a wide margin how onerous liability under the CPPA will be.
The liability under the CPPA will be a major departure from the PIPEDA regime. The changes are explained in the detailed blog post, The CPPA’s Privacy Law Enforcement Regime published by McCarthy Tetrault lawyers Gillian Kerr, Nikiforos Iatrou, Pippa Leslie and I (with help from Daanish Pasricha).
The CPPA’s liability measures makes the CPPA particularly risky for organizations operating in Canada because, as I explained in another blog post on the impacts of the CPPA on small business, the CPPA uses many open ended principles that will be difficult to apply in the fast changing and complex environments that characterize our 4th industrial revolution.
Here are the highlights of the liability and enforcement measures under the CPPA that would make it the most, or at least one of the most, onerous privacy regimes anywhere:
- There can be liability under the CPPA for penalties as high as the greater of $10 million or 3% of an organization’s gross global annual revenue. These are higher than under the GDPR.
- There can be liability under the CPPA for fines of up to the greater of $25 million or 5% of an organization’s gross global annual revenues for certain contraventions of the CPPA.
- The Commissioner will able to investigate alleged privacy breaches, make compliance orders (including interim orders) and recommend that penalties be imposed. Unlike other tribunals, there is no required separation between the investigation and enforcement branches of the OPC.
- Despite the high potential penalties and risks of compliance orders, there is very little guaranteed procedural protection before the Commissioner or before the new tribunal which can impose the penalties and to which appeals from orders made by the Commissioner can be made.
- Despite the thin procedural protections before the Commissioner (who can both investigate a breach, impose orders and recommend that penalties be imposed), deference has to be given to the findings of the Commissioner on an appeal to the new tribunal. This will make many of the Commissioner’s decisions hard to appeal. Deference may be appropriate for decisions made by an impartial tribunal after an adversarial and fair process, but impartiality and a robust process are not guaranteed under the CPPA.
- Decisions of the tribunal will be difficult to challenge on judicial reviews to the courts.
- The Commissioner’s reports and decisions of the tribunal can be used as a basis for private rights of action including class actions for breach of the CPPA. This could lead to class actions based on common law claims and for breach of the CPPA. The report of the Commissioner is supposed to provide a gatekeeper function. But, this is lacking with the process where the Commissioner is the investigator, prosecutor, judge and jury, and where, considering the consequences of the Commissioner’s decisions, there is a lack of procedural protection and limited ability to correct mistakes on appeals.
The Commissioner is an Officer of Parliament. Given the broad enforcement powers of the Commissioner, there are also constitutional questions as to whether such powers can or should be exercisable by a person with that status.
Canadians want their reasonable expectations of privacy to be respected. This may include a desire for new liabilities under the CPPA and new enforcement powers for the OPC. However, as I showed in a prior blog post, the OPC’s own statistics don’t make the case for a radical change and especially not for a shift to what perhaps will be the world’s most in terrorem privacy liability regime. If the CPPA’s remedial measures are intended to balance the need to enforce compliance with privacy obligations and to foster innovation and risk taking by business, this liability calibration is way off target.
For more on liability under the CPPA, see The CPPA’s Privacy Law Enforcement Regime published by McCarthy Tetrault mentioned above.