Following the recent fine against Facebook for C$9.5 million under the Competition Act pursuant to allegations that it made "false or misleading claims about the privacy of Canadians' personal information,” the Competition Bureau has called for increased fines for privacy violations.
As we previously reported in Key Takeaways from Competition Bureau Fine for Privacy Violation, the fine (which Facebook agreed to pay without any acknowledgement of wrongdoing) was near the upper range of potential administrative penalties under the Competition Act, which are up to C$10 million and up to C$15 million for each subsequent order against a corporation.
In an interview following the reporting of the fine, the Commissioner of Competition, Matthew Boswell, stated that the Canadian settlement amount was "certainly not in the same ballpark"1 as the settlement that Facebook reached with United States Federal Trade Commission (FTC) earlier this year: US$5 billion. While a multi-billion dollar fine was unprecedented for the FTC, previous FTC fines for privacy violations have well exceeded multiples of the Canadian maximum on several occasions, examples of which include the following:
Canadian Competition Commissioner Mathew Boswell has stated that the penalties under the Competition Act should reflect more than just a cost of doing business. As a point of reference, Facebook reportedly had 23.8 million active Canadian users in 2019, and 24.1 million in 2020.
Legislative amendments would be required to raise the cap on the maximum penalties under the Competition Act. The Competition Bureau is not alone in supporting legislative reform for stiffer penalties against corporations for privacy violations. The Office of the Privacy Commissioner of Canada, which cannot currently impose administrative penalties against an organization for failing to comply with its privacy obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), has called for reform to empower it "to conduct proactive inspections, make binding orders and impose consequential penalties for non-compliance with the law."2
With such calls to action becoming more frequent and in light of the increasing number of high-profile privacy breaches, we anticipate legislative reform in this area. In our last post on this matter, we set out some key issues to consider in managing the risk of regulatory exposure.
For more information regarding how to contain regulatory and litigation exposure arising from the management of personal information, contact the Bennett Jones Privacy and Data Protection group.
1. MLex, Richard Vanderford, "After C$9.5 million Facebook settlement, Canada competition boss calls for law to allow tougher fines" (May 27, 2020).
2. Office of the Privacy Commissioner of Canada, "2018-2019 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act," https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201819/ar_201819.