PIPEDA Fines: How Much Do You Have to Pay?
Any good business leader should be aware that without customers, they have no business. With this in mind, full compliance with the PIPEDA regulations in conducting your commercial activities will help avoid possible PIPEDA fines. This will also help ensure that your customers can trust your organization to keep their sensitive personal information safe.
Compliance with PIPEDA assists your customers in determining whether your business is to be trusted with their personal information, and any violation of the regulations leading to a data breach will give rise to your customers seeking recourse for any disclosure of their personal data.
"Prevention is better than cure," says the old adage, so read on as we share with you in detail the penalties and monetary fines enforceable for any data breach of the personal information of an affected individual.
- PIPEDA is the broad legislative act enacted in April 2000 by the Parliament of Canada regulating most private businesses that collect, use, or disclose personal information in Canada to comply with the federal privacy law.
- Certain organizations, such as non-profit organizations, charity groups, and political parties, are exempt from abiding by PIPEDA regulations unless they engage in commercial activities that don't normally form part of their core operations.
- Non-compliance with the regulations of PIPEDA by a private business can result in hefty financial penalties with fines of up to $100,000 CAD per violation.
Who Does Canada's PIPEDA Apply to?
PIPEDA is the broad legislative act enacted on April 13, 2000, by the Parliament of Canada regulating most private businesses that engage in commercial activity and collect, use, or disclose personal information of Canadian citizens to comply with PIPEDA.
Your business is also bound by PIPEDA regulations that include keeping the personal information safe from cybercriminals, ensuring the cross-border transfer protocols are followed, and reporting data breaches in a timely manner, among other things.
The data privacy law defines commercial activity as any transactions, acts, conduct, or any regular course of conduct that is commercial in character, which includes the selling, bartering or leasing of any donor, membership or other fundraising lists.
Privately owned business entities that must ensure PIPEDA compliance include the likes of:
- Insurance brokers
- Online commercial retailers
- Law firms
- Private healthcare providers
- Private schools
Apart from the above-listed business types, the following federally regulated organizations conducting business in Canada are also subject to PIPEDA, with the data protection law covering the personal information of their employees as well:
- Airports and airlines
- Inter-provincial or international transportation companies
- Telecommunications companies
- Offshore drilling operations
- Radio and television broadcasters
Certain organizations, such as non-profit organizations, charity groups, and political parties, are exempt from abiding by PIPEDA regulations unless they engage in commercial activities that don't normally form part of their core operations.
With their own provincial private sector privacy laws (PIPA) similar to PIPEDA, the provinces of Alberta, British Columbia, and Quebec are exempt from PIPEDA with respect to handling personal data within those provinces.
PIPEDA Fines for Non-Compliance
PIPEDA fines for non-compliance if your business is found to be non-compliant with PIPEDA, there are three major penalties that can be enforced by The Office of the Privacy Commissioner of Canada (OPC).
Non-compliance with the regulations of PIPEDA by a private business can result in hefty financial penalties with fines of up to $100,000 CAD per violation.
A fine may not be invoked for every violation of the regulations of PIPEDA. However, business leaders will do well to bear in mind that the OPC is particularly aggressive in the course of its investigations, with some big brands having been investigated and found in violation of PIPEDA recently.
Although the OPC's jurisdiction and penalties are limited, a business found in violation of PIPEDA may be referred to the Attorney General of Canada for further legal action.
The OPC and the Attorney General will conduct audits leading to the enforcement of compliance agreements, or your business may be required to disclose vital company behaviour to the public domain or be punished in other ways.
Possibly the biggest threat to organizations is reputation loss. When the general public, including your loyal customers, learns that they cannot trust your business to handle their private information safely, then you are definitely in trouble.
Just the threat of a public denouncement by the OPC for PIPEDA non-compliance should be encouraged enough to implement security safeguards to prevent significant harm from being done to your business's reputation.
How is PIPEDA Enforced?
Enforcement of PIPEDA is overseen by the political body mentioned above, known as the Office of the Privacy Commissioner of Canada (OPC). Along with other duties, the OPC's primary responsibility is the investigation of complaints against businesses that have violated applicable PIPEDA laws.
The OPC both investigates PIPEDA violations and enforces them. The OPC normally awaits an individual or company to file a complaint, although the OPC can take the initiative and begin investigating a business if a violation of the privacy act is suspected.
The OPC may, after completion of an investigation and, depending on results, withdraw a complaint or enforce PIPEDA.
Other Consequences of Non-compliance with PIPL
Not only does your business face a financial loss from any imposed fine, but any legal process is going to be costly. The OPC enforces compliance with PIPEDA by means of federal court proceedings, an audit of privacy practices, penalties, or by way of general public interest disclosures and censures.
Federal Court Proceedings
Heading to any of Canada's federal courts is a time-consuming experience for all parties involved and may take up to two years to finalize.
Defending any application requires legal representation and preparation of the relevant documents such as affidavits, Memoranda of Fact and Law, cross-examining and being cross-examined on affidavits, as well as time and legal costs incurred in attending the hearing.
Audit of Privacy Practices
Any security breach leading to unauthorized access to a customer's personal data will cause the OPC to conduct tougher audits of your business's privacy practices.
An audit may take a closer look at the physical and security controls your business uses to protect the personal data that your business has on hand, your policies, procedures and practices that are in place, as well as your data breach management policy.
The audit results will allow the OPC to identify the extent to which a business is meeting its privacy law obligations and can lead to the enforcement of a compliance agreement.
Disclosures and Censures
The loss of customer trust through the disclosure of vital business operating processes into the public domain by the OPC will cause untold damage to a business along with any damning OPC public denouncement.
In the event of a complaint, it is not a wise move for any business to try to cover its tracks and hide or destroy evidence of its failure to provide appropriate security safeguards for sensitive personal information. This may end up hurting your case.
Depending on the violation, criminal prosecution may be a form of punishment that is used.
Tips to Avoid PIPEDA Fines
As previously mentioned in our article, preventing problems is always a better option than trying to fix them after the fact. Making wise decisions, including making a concerted effort to ensure full PIPEDA compliance, is a step in the right direction for your business.
Full corporate compliance with PIPEDA is best guaranteed by brushing up on the law in your business jurisdiction.
Let's take a look at some useful tips to achieve this compliance.
Perform Regular PIAs and Other Data Handling Reviews
Your business is required by PIPEDA to regularly submit privacy impact assessments to OPC. It is recommended to perform internal assessments over and above the mandated requirements to evaluate the handling, security, and use of consumer private data to help prevent serious threats down the road.
Maximize Security and Minimize Risk
Investment in and installation of advanced data security protection systems should help your business minimize the risk that comes from collecting, using, and distributing your customer's personal information data.
This could include having an end-to-end communication system, secure cloud storage, and access controls.
PIPEDA requires your business to immediately report data breaches to OPC. Any failure to report in time may lead to significant penalties being imposed, plus add to the harm caused by a data breach.
OPC is also a valuable resource for the containment of breaches, and its experts are able to assist in minimizing the fallout, reducing possible OPC penalties.
Consult PIPEDA Experts like Captain Compliance
Consultation with a knowledgeable compliance services provider like Captain Compliance is one of the best choices you can make when trying to become compliant.
Data Discovery & Protection Tools
Your business may benefit from the use of data privacy protection software. The use of up-to-date software platforms will strengthen your consumer data security, and regular updates will ensure your business remains PIPEDA compliant as this privacy act legislation continually evolves.
Abide by the 10 Fair Information Principles
PIPEDA has set out ten fair information principles forming the ground rules for the collection, use and disclosure of personal information and for providing access to personal information.
Your business is responsible for the safe handling of personal information in its possession and should appoint an individual to be accountable for compliance with the fair information principles.
Before or at the time of data collection, the respondent must be advised of the purpose of data collection.
Prior consent and knowledge for the collection, use or disclosure of data is required from an individual except where such consent is inappropriate.
Only information collected in a fair and lawful way that is limited to the necessary purposes identified by your business may be sought.
Limiting Use, Disclosure, and Retention
Personal information may only be used or disclosed for the collected purposes unless an individual consents otherwise or that data is required by law. Personal data may only be retained for the period required to serve the purpose of collection.
Data collected must, where possible, be accurate, complete, and up-to-date to serve the purposes for which the data is to be used.
Security measures relative to the sensitivity of that data must be in place to protect personal information.
Your business is obligated to make public and readily available detailed information about privacy policies and practices regarding the management of personal information.
An individual may submit a Data Subject Access Request (DSAR) to your business to discover what data has been collected and retained and to request certain actions be taken with their data. A DSAR may entail a request that data be deleted, incorrect information be amended, or an instruction for opting out of further data collection.
Compliance with these PIPEDA principles may be challenged by an individual, and the accountable person, typically your Chief Privacy Officer in your business, is obligated to respond.
Compliance with the rules of PIPEDA, along with other international data privacy laws, can often become complicated and time-consuming. Captain Compliance offers the convenience of outsourced compliance to keep your business up to date with the ever-changing data privacy landscape while you focus on your core business.
Your business will be required to ensure continuous compliance with the rules of PIPEDA to avoid both the financial implications and the potential fallout with your customers and the public in the event of a breach in personal data security.
If your business handles personal data that includes sensitive consumer information, then it's a good time to partner with experts like Captain Compliance who understands the ins and outs of these complex regulations.
Get in touch with Captain Compliance, a leading global compliance services specialist, and we can help your business meet your PIPEDA obligations. We offer compliance solutions, including the appropriate compliance training, to help you achieve full PIPEDA compliance.
What are the principles of data privacy?
Three basic principles are lawfulness, fairness, and transparency in the handling of personal data and covering how it's collected, used and processed.
What does the PIPEDA require?
PIPEDA sets out regulations for businesses to be accountable for the personal data collected, used, and disclosed and to take the appropriate measures to protect this information.
What is not personal information?
Business information is generally not considered personal information as personal information, by definition, only relates to natural persons.
Is PIPEDA the same as GDPR?
Both are privacy laws; however, PIPEDA, unlike the GDPR, only applies to businesses engaged in commercial activities and does not apply to public organizations.
Does PIPEDA apply to non-Canadian companies?
PIPEDA will apply to all Canadian and foreign businesses that are actively collecting and processing Canadian citizens’ personal information.