Privacy and the means for enforcement
An empowered Privacy Commissioner and a new tribunal will need resources to be effective.
When governments draft new laws on controversial topics, typically they can hope for only one type of reaction — an acknowledgement that it's better than what came before.
Bill C-11 is at least being received with a sigh of relief by most critics of the Personal Information Protection and Electronic Documents Act. The new legislation proposes to replace what Teresa Scassa of the University of Ottawa calls PIPEDA's "soft-touch oversight and enforcement model" with one that has actual teeth.
"I do think it's an improvement, but PIPEDA set a really low bar," said Scassa, the Canada Research Chair in information law and policy. "The government certainly hit some of the right notes and beefing up enforcement was something that absolutely had to be done."
C-11 gives the Office of the Privacy Commissioner of Canada (OPC) something it's been asking for years: the power to issue orders to enforce compliance with the law. The power to issue penalties, meanwhile, is to be vested in a new Personal Information and Data Protection Tribunal — which can impose fines ranging up to 5% of an organization's global revenue or $25 million, whichever is greater, for serious breaches of the law. Less serious violations could see fines of 3% of global revenue, or $10 million.
On paper, it looks like a substantial escalation of the commissioner's authority, even though the penalty power is being reserved for the tribunal. David Fraser, a privacy law expert at McInnes Cooper who has represented Google in the past, said splitting power between the commissioner and the tribunal serves to guard against conflicts of interest.
"That's the kind of trouble you get into when you vest the roles of advocate, investigator, prosecutor and judge in a single person or office," he said. "So I was pleasantly surprised to see the tribunal in there. That's not the model at work in privacy legislation at the provincial level, so it's an improvement, I think."
The structure of the tribunal itself is more problematic, said Scassa. "The legislation says only one member of the tribunal must be an expert in privacy law," she said.
"So the nature of the tribunal really depends on the nature of the government that appoints it. A government that believes in openness will see that attitude reflected in its choice of people to sit on the tribunal, while a government that wants to gut the system can always fill the tribunal with patronage hacks."
Could the bifurcated nature of enforcement under Bill C-11 lead to friction between the commissioner and the tribunal? Molly Reynolds, who specializes in privacy law and data at Torys LLP, said past experience suggests the two bodies will learn to co-exist — even in cases where the tribunal declines to order a penalty.
"The tribunal can decide whether a penalty meets the needs of the case — if a company conducted its due diligence in the eyes of the tribunal, for instance, it could decide not to order a penalty," she said.
"In practice, I don't think it will set up conflicts between the commissioner and the tribunal. We haven't seen the Federal Court say to the OPC, 'You got this one completely wrong.'"
Still, there are blind spots in Bill C-11's approach to enforcement, Scassa said. "Section 18, for example, lists exceptions to companies' obligation to obtain an individual's knowledge and consent before harvesting private information," she said.
"I think it's hugely problematic. It creates a situation where an organization doesn't even have to tell anyone what it's doing with private information. If you don't know it's happening, how can you tell if it's gone off the rails?"
Another blind spot, Scassa said, lies in how the tribunal intersects with the so-called "private right of action" in the new legislation. To pursue a private action under the new regime, a plaintiff would have to first "successfully" file a complaint with the commissioner, she said.
"And then there is a right of appeal to the tribunal. So it could mean individuals are kept waiting for years until they have permission to pursue their complaints in the courts," she said.
Meanwhile, another section in Bill C-11 gives the commissioner the right to decline to review specific complaints — a tool to triage what might otherwise be an unmanageable workload for an office with limited resources. "But because a private right of action depends on first having a complaint heard by the commissioner, it closes off that avenue," said Scassa.
In fact, the whole question of resources remains an Achilles heel for the whole privacy regime, she said: "You could have the best bill in the world, and if the government wants to amp up the use of personal information in the private sector, all it has to do is starve the commissioner's office of funds."
In short, there could be gaps between the way the new privacy regime works in principle and how it functions in practice. For lawyers, at least, the creation of the tribunal means they'll get something they've lacked up to now: guidance.
"One great advantage of the tribunal is that now we're going to be getting written decisions," said Fraser. "Even if the tribunal isn't required to follow its own precedents, it will want to, just to convince the business community this process isn't wacky.
"So it will be much less opaque than, say, the CRTC process enforcing the anti-spam law. And it will allow lawyers to give their clients much better advice."