Canada’s new anti-spam legislation (“CASL”) comes into effect later this year, and it packs a punch – fines of up to $10 million per violation for companies and up to $1 million per violation for individuals. The government was clearly prepared to give regulators substantial teeth to both encourage compliance and punish non-compliance.
It is interesting to compare this approach to Canada’s federal private-sector privacy legislation. The Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came into force in 2004, gives the federal privacy commissioner broad investigative powers but no direct enforcement powers. In particular, PIPEDA does not contemplate fines – so even massive and preventable privacy breaches have lesser potential consequences than they might elsewhere.
Contrast this with the United Kingdom’s Data Protection Act. The UK Information Commissioner’s Office (“ICO”) can impose monetary penalties if it is satisfied that there has been a serious contravention of the legislation likely to cause “substantial damage or substantial distress”, and the contravention was deliberate or the responsible party knew or ought to have known that there was a risk that the contravention would occur and that it would likely cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
When Sony’s Playstation Network was hacked in 2011, over 24 million user accounts were accessed worldwide. The UK ICO’s investigation concluded that the attack could have been prevented if software had been up to date, and that technical developments meant the passwords were not secure. The ICO concluded that Sony had not taken appropriate technical measures against unauthorized or unlawful processing of personal data, and did not ensure a level of security appropriate to the harm that might result from such unauthorized or unlawful processing and the nature of the personal data in question. The ICO therefore imposed a £250,000 penalty on Sony Europe for this breach. Sony recently dropped its appeal of this decision and fine (although it maintains that it disagrees with both, and that it is dropping the appeal only because it does not want to reveal details of its network security practices in the appeal proceeding).
Although the Sony breach affected many Canadians as well, the Canadian privacy commissioner did not have a similar stick to hold over Sony’s head – and the privacy commissioner’s office has begun to speak out against this state of affairs. Shortly after the Sony breach, our privacy commissioner called for the ability to impose “significant, attention-getting fines” on companies whose poor privacy and security practices lead to breaches. And the commissioner’s May 2013 written submission to Parliament was blunt:
“The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data.”
Although some proposed changes to PIPEDA are underway, on the enforcement side they are limited to mandatory breach disclosure and do not contemplate fines. However, given the substantial fines (or “administrative monetary penalties”, as they are called) available under the new anti-spam legislation, one wonders whether there might be an appetite for stronger enforcement and deterrence powers under PIPEDA as well. After all, a significant privacy breach is arguably more harmful than distributing unwanted commercial emails, and it is not clear why there has been greater effort to discourage the latter than the former. (Though, to be fair, the anti-spam legislation also prohibits various activities relating to malware, spyware, phishing and pharming, all of which can cause significant harm.) For now, we will have to wait and see whether the anti-spam enforcement powers lead to stronger tools for addressing and deterring privacy breaches under PIPEDA – or whether the commissioner is left with, in her words, “soft recommendations with few consequences”.