Earlier this week, the Office of the Privacy Commissioner of B.C. (OIPC BC) and the Office of the Privacy Commissioner of Canada (OPC) released a joint investigation report that found a B.C. company violated B.C.’s provincial and Canada’s federal privacy laws.
While conducting business on high-profile campaigns in the U.K., the U.S., and in Canada, the report states that AggregateIQ did not comply with the consent provisions in B.C.’s Personal Information Protection Act (PIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and did not employ reasonable security safeguards.
The report makes two recommendations in order for the offending company to become compliant with Canadian privacy laws:
The OIPC BC and the OPC will collect evidence from the company in approximately six months to confirm that the recommendations have been implemented and that the company is now compliant.
This response highlights the need for Canadian regulatory bodies to have the power to issue fines when they find organizations to be in violation of Canadian law.
Privacy commissioners need to be able to levy stiff fines, otherwise there’s not much point in having a “law” https://t.co/tOAhKeYhxv
— profdeibert (@RonDeibert) November 27, 2019
When asked why no fines were issued despite the investigation finding the company to have violated Canadian privacy laws, the Information and Privacy Commissioner for B.C., Michael McEvoy said: “There are no fines because we do not have the authority to levy fines.”
Absent amongst the international media attention that this report received, is the observation that Canada’s privacy regulators are powerless to enforce privacy laws through fines.
International regulators are using their fining powers to compel compliance to great effect. Examples include the Federal Trade Commission’s $5 billion civil penalty against Facebook, and the Information Commissioner Office (ICO) in U.K.’s intention to fine British Airways more than £183 million.
In fact, the ICO in the U.K. has a standing enforcement notice against AggregateIQ, threatening fines of up to 20 million Euros should the company not comply with their notice within 30 days of the conclusion of the joint OIPC and OPC investigation.
This leads one to wonder if AggregateIQ is implementing the recommendations of the OIPC BC and OPC out of good faith, or because they face the threat of significant fines from an international regulatory body.
“At the end of the day, privacy, and the legislation that governs it, needs to be brought into the 21st century where the realities of cross-boundary data sharing leave much to be coveted in terms of protections for personal information,” says Joyce Yan, BC FIPA’s Interim Executive Director.
“We have been a longtime advocate for increasing the Commissioners’ powers, but with the case of AggregateIQ, it has become clear that order-making powers (a tool the federal Privacy Commissioner still doesn’t have in his toolkit) is simply not enough. The provincial and federal privacy laws are antiquated, and we are falling behind our foreign counterparts.”
We strongly urge our fellow privacy advocates to join us as we continue to push for law reform that gives Canadian regulators the power necessary to protect privacy and compel compliance.