Key Takeaways from Competition Bureau Fine for Privacy ViolationFacebook has agreed to pay a fine of $9 million under the federal Competition Act stemming from the Cambridge Analytica matter and to reimburse the cost of the inquiry of $500,000 (without any acknowledgment of wrongdoing). This fine is the first issued for a privacy violation by the Competition Bureau under its authority to regulate deceptive marketing practices. As previously reported by Bennett Jones in Competition Bureau Intends to Police Privacy Violations—Beware of Potential Fines and Organizations Can Expect Increased Canadian Regulation for Privacy Violations, regulation of privacy violations by the Competition Bureau was anticipated. Under the Competition Act, the Competition Bureau has the authority to regulate matters where an organization has made representations to a consumer about the collection, use or safeguard of personal information, and then fails to comply with those representations. The United States Federal Trade Commission regularly regulates privacy matters and imposes substantial fines under similar authority to regulate deceptive practices. The significance of the involvement of the Competition Bureau in privacy matters lies in the level of potential fines and the introduction of additional regulatory scrutiny. The Competition Bureau can seek an administrative penalty of up to $10 million, and up to $15 million for each subsequent order against the corporation. In the case of an individual (which conceivably could include directors or officers of company), the Competition Bureau may seek an administrative penalty of up to $750,000, and up to $1 million for each subsequent order against the individual. In contrast, the federal Privacy Commissioner currently has no authority to seek an administrative penalty against an organization that fails to comply with its privacy obligations. However, the federal Privacy Commissioner can seek a court order imposing restrictions on an organization's ability to collect or use personal information. Companies—large and small—should expect surveillance of their marketing practices when it comes to privacy. Competition Bureau Commissioner Matthew Boswell has stated the following in connection with this matter: "[t]he Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies". This development marks a noteworthy transition for the regulation of privacy matters in Canada, particularly as the digital economy introduces new opportunities for companies to commoditize and profit from the collection and manipulation of data. This development also coincides with repeated calls by the federal Privacy Commissioner for more authority (including the ability to issue fines), and with his increasing focus on issues relating to the use of personal information without appropriate consent. Companies should expect increased regulatory scrutiny regarding the use made of collected personal information, whether the use is for a reasonable purpose (as required by privacy legislation) and whether there is meaningful consent obtained for the collection and use of that information. Being prepared should be a central priority for any organization involved in the collection, use, storage, or processing of personal information. Key TakeawaysTo manage the risk of regulatory exposure (as well as litigation risk involving privacy violations), organizations should consider the following: 1. Map and Characterize Your DataDevelop a clear understanding of the following (among other things):
Personal information is broadly defined and includes categories of information beyond the more obvious types such as name, address, government identification numbers, and banking information. Personal information can include, for example, an individual's preferences (what items the user purchases), habits (frequency of travel and routes), or reactions (what ads the user clicks on). 2. Review ConsentAnalyze the consent obtained from individuals, including the context in which consent is obtained (e.g., is it simply a "click-through" consent), and whether you have obtained valid and meaningful consent. In particular, consider whether it is reasonable to conclude that the individuals understand the following:
A consideration of whether the consent is meaningful may require an assessment of the context in which the consent is given in view of the sensitivity of the information involved, and the purpose or potential for repurposing of the collection and use of the information. 3. Review Third-Party ContractsCover transfers of personal information to third parties by written agreements that include:
4. Assess SafeguardsAssess whether the operational, physical and technical safeguards in place, and those of any third parties to which they transfer personal information, are reasonable, in the context of the sensitivity of the information, and the duration of time the information may be kept. Do Not AssumeCorporate executives may assume their company obtains appropriate consent for the collection of personal information since they have language in their privacy policy that captures broad categories of potential uses of information. They may assume that because the company has asked for consent in the policy, the company can use the information for any purpose regardless of whether that purpose or repurposed use is reasonable. They may assume that the third parties to which the company has transferred data will comply with their obligations to limit use of the information or to safeguard the information. They may assume that because their IT department has said they have "good protections" they are taking all required steps to safeguard information. For more information regarding how to manage regulatory and litigation exposure arising from the management of personal information, contact the Bennett Jones Privacy and Data Protection group. Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |