Data protection enforcement: What the EU experience suggests might be around the corner for Canadian businesses

In Canada, private sector provincial and federal privacy legislation has historically been enforced through a “name and shame” regime (with regulators publicly naming organizations that fail to comply).

However, recent and proposed legislative changes are opening the door for Canadian privacy regulators to impose significant fines on organizations that do not comply with new privacy standards. The European Union’s recent experience with privacy law enforcement provides some insight into how Canadian regulators may use this enhanced enforcement power.

Where we are: the Canadian context

In Québec, An Act to modernize legislative provisions as regards the protection of personal information, which introduced enhanced data protection requirements similar to the European General Data Protection Regulation (GDPR), has already entered the first of three stages of implementation. Starting in September 2023, organizations doing business in Québec that are found to be offside these requirements could face significant monetary consequences including:

• regulatory penalties up to $10 million or 2% of the organization's global revenue for the previous fiscal year;
• criminal fines up to $25 million or 4% of the organization’s global revenue for the previous fiscal year for a first offence (double for subsequent offences); and
• liability for punitive damages in civil lawsuits starting at $1,000 for intentional or grossly negligent violations.

See our article on Québec’s private sector privacy overhaul for more information.

At the federal level, the Office of the Privacy Commissioner (OPC) can currently pursue fines up to $100,000 for a small number of violations of the Personal Information and Electronic Documents Act (PIPEDA) such as obstruction of investigations or failure to report privacy breaches. However, the recently tabled Bill C-27, aimed at aligning Canada with the GDPR, would significantly increase these enforcement powers.

The proposed changes include the creation of a new Data Protection Tribunal that could impose significant monetary penalties following a finding of a violation by the Office of the Privacy Commissioner (OPC). If the legislation passes, Canadian businesses could face significant monetary consequences similar to those coming into force in Québec next fall, including:

• administrative monetary penalties up to $10 million or 3% of an organization's global rveenue for hte previous fiscal year, and
• criminal fines up to $25 million or 5% of an organization's global revenue for the previous fiscal year

See our article on Bill C-27 for more information about the proposed reforms.

Where we may be going: lessons from the European Union

The GDPR became law in Europe on May 25, 2018, introducing a single standard for data protection across the European Union, but leaving enforcement to member states’ national data protection authorities (DPAs).

It has now been nearly four and half years since the GDPR was introduced, and the EU experience may provide some guidance on what Canadian organizations can expect if similar enforcement powers are adopted here. Since May 2018, enforcement by DPAs has been steadily increasing (see Figure 1 below). However, the degree of regulatory scrutiny appears to vary considerably by jurisdiction. This may be explained by the unique resource constraints and policy objectives of each member state’s DPA (for example, at the time of writing, Spain’s DPA had imposed more than 500 published fines under the GDPR, compared to fewer than 30 fines imposed by the French DPA).

In the first two years, enforcement was minimal, likely reflecting an early focus on education. However, by 2021, with three years of being on the books, GDPR enforcement boomed.

In 2021, at the same time that overall enforcement increased, the size of the fines being imposed also grew (see Figure 2 below). In most cases where significant fines were imposed, the organization was found to have failed to handle personal data in a lawful, fair, and transparent manner, or implement sufficient measures to ensure information security.

In 2021, a select number of high-profile enforcement actions resulted in record-setting fines under the GDPR. For example, the Luxembourg DPA imposed a €746 million fine on Amazon Europe Core S.a.r.l. for its targeted consumer advertising systems¹. Later that year, Ireland's DPA also imposed a €225 million fine on WhatsApp Ireland Ltd. for failing to provide sufficiently clear information to users about its information processing activities². Unsurprisingly, consumer-facing businesses appear to face greater regulatory scrutiny. 

Takeaways for businesses

• The landscape is changing for Canadian privacy regulation. As Canadian data protection regulators gain stronger enforcement powers, companies can likely expect greater scrutiny of data handling practices. However, enforcement may vary from one regulator to another (e.g., the Québec regulator and the proposed federal Data Protection Tribunal may take different enforcement approaches, despite having similar proposed powers). How a new federal privacy law will handle cross-border breaches remains to be seen, and businesses facing investigation in multiple jurisdictions will need to be strategic in efforts to avoid overlapping fines.
• Consumer-facing businesses may face greater scrutiny. The EU experience with the GDPR and the resource constraints shared by Canadian regulators tells us that consumer-facing businesses (particularly those in retail and media) are likely to face the greatest regulatory scrutiny for their data handling practices. In turn, these companies should devote more resources to proactive transparency and ethical data processing.
• Enforcement activities are on the rise. Building on European experience, we expect that Canadian regulators will use the first few years following legislative reforms to focus on education and strategic enforcement aimed at deterrence. However, the EU experience shows that regulators may not wait long to use their new enforcement powers. Canadian businesses should stay abreast of these reforms and plan their compliance updates early to avoid delays in aligning their data processing, breach response and AI strategies with new legal requirements.