If you read this digest, it is likely that you also subscribe to the IAPP’s daily newsletter that reports on privacy news from around the world, the Daily Dashboard. I was reading this publication recently and noticed a few stories about enforcement actions out of the EU. It has been approximately six months since the GDPR came into force, and some investigations have been completed. Not surprisingly, some of these investigations have resulted in fines being levied.
Some are modest — like 4,000 euros — but others are CASL-like. For instance, one hospital was fined by the Portuguese DPA approximately 400,000 euros.
And, while I was reading these stories, it made me think about the enforcement models being used in Canada. A recent case from the Federal Court came to mind. Here’s a link to the entire case if you want to read it.
It is about how the Royal Bank of Canada mishandled and lost a customer’s mortgage application paperwork. Unfortunately, the privacy commissioner’s investigation led to no meaningful recourse for the complainant, and she was forced to take on the banking giant by herself by initiating risky litigation. She did not retain a lawyer but won her case after the court concluded that RBC failed to meet PIPEDA’s obligation to properly safeguard the information.
I’m not sure what would’ve happened in the EU if a DPA was presented with a similar case. But, in this instance, the RBC was ordered to pay the complainant $2,000 and an additional $800 in costs. What do you think? Does that provide sufficient incentive among Canadian organizations to ensure that they properly safeguard your information?
My suspicion is that the RBC is much more careful with its e-marketing efforts because the fines under CASL provide enough incentive. It failed to meet PIPEDA obligations in this case, and I can only speculate about whether the result of this case will result in any greater effort to make sure PIPEDA isn’t violated in the future. Your thoughts are always welcome.
Have a great weekend.
If you want to comment on this post, you need to login.