Privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.
Under PIPEDA, a complaint must be investigated by the Commissioner and a report will be prepared that includes the Commissioner’s findings and recommendations. A complainant (but not the organization subject to the complaint) may apply to the Federal Court for a review of the findings and the court has authority to, among other things, order an organization to correct its practices and award damages to the complainant, including damages for any humiliation that the complainant has suffered.
Under PIPA Alberta and PIPA BC, an investigation may be elevated to a formal inquiry by the Commissioner resulting in an order. Organizations are required to comply with the order within a prescribed time period, or apply for judicial review. In both BC and Alberta, once an order is final, an affected individual has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach.
In Alberta and BC, a person that commits an offense may be subject to a fine of not more than CA$100,000. Offenses include, among other things, collecting, using and disclosing personal information in contravention of the Act (in Alberta only), disposing of personal information to evade an access request, obstructing the commissioner, and failing to comply with an order.
Similarly, under the Quebec Privacy Act, an order must be complied with within a prescribed time period. An individual may appeal to the judge of the Court of Quebec on questions of law or jurisdiction with respect to a final decision.
A failure to comply with the Quebec Privacy Act’s requirements (as currently applicable) in respect of the collection, storage, communication or use of personal information is liable to a fine of up to CA$10,000 and, for a subsequent offense, to a fine up to CA$ 20,000. Any one who hampers an inquiry or inspection by communicating false or inaccurate information or otherwise is liable to a fine of up to CA$10,000 and, for a subsequent offense, to a fine of up to CA$20,000.
Starting September 22, 2023, the new Quebec Privacy Act, as modified by Bill 64, will introduce much more severe penalties. The maximum penalties will range between CA$5,000 and CA$100,000 in the case of individuals, and up to between CA$15,000$ and CA$25 million or 4% of worldwide turnover for the preceding fiscal year for organizations.
There are also statutory privacy torts in various provinces under separate legislation, and Ontario courts have recognized a common-law cause of action for certain privacy torts. In Quebec, a general right to privacy also exists under the Civil Code of Quebec and the Charter of Human Rights and Freedoms. Organizations may face litigation (including class action litigation) under these statutory and common-law torts, in addition to any enforcement or claims under Canadian Privacy Statutes.