Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The idealist in me likes the way the drafters of our privacy laws thought when it came to enforcement. If you show or tell organizations — in the public or private sector — that they can better respect people's privacy rights, the organizations will surely implement those suggestions because it is the right thing to do.
That was me in 1997.
In 2025, my idealistic self is overwhelmed by advocates telling me that if you want organizations to properly respect people's privacy, you need to have severe punishments if they decide not to abide by the law.
Keep in mind that I was litigation counsel for the Office of the Privacy Commissioner of Canada from 2004 to 2007. At that time, when organizations were not voluntarily complying with the OPC's recommendations, we used the simple fact that we could take them to court as leverage to convince them to change their tune and then comply. I think this is an extremely effective tool.
Even with that, there has been a massive call for greater penalties for noncompliance. People insist that we need monetary fines to make organizations more aware of and to take privacy more seriously.
So, I try to be neutral on this topic, and I understand both sides. On the one hand, the ability to get a court order forcing an organization not to do something is a threat that can provide a sufficient deterrent. On the other hand, maybe what's needed is an incentive to not get in trouble in the first place.
In Canada, Quebec's data protection authority, the Commission d'accès à l'information du Québec, can administer monetary penalties under its private-sector law — none have been imposed so far. The Information and Privacy Commissioner of Ontario can administer monetary penalties under the Personal Health Information Protection Act.
This week, for the first time in Canadian history, a privacy regulator — Ontario — issued a monetary penalty against a medical professional and the clinic where they worked for violating patients' privacy. The facts are pretty egregious. The culprit, without consent or notice, took newborn and parent information from hospitals and then used it to market and sell their own services that might be required by the new baby or desired by the parents. The professional has been ordered to pay CAD5,000 and the clinic an additional CAD7,500.
I'm going to bring this up in my privacy law class next week. If you've read my notes before, you know I'm a little obsessed with how people come up with valuing, in a financial sense, what a breach of privacy is worth. Was this the right amount? Was it too much? Too little? Would the Europeans wonder why we chose such a small amount in contrast with some of the fines we see coming out of the EU? Would other countries be mad at us for choosing a monetary penalty in the first place?
I'm writing this on the tail-end of a regular get-together we have at our firm. It's a small firm that hits above its weight. This is partly because some of us are conservative and see privacy, data protection and artificial intelligence through a particular lens. Others see it differently — more liberally and connected to human rights. We chat about our differences and are, maybe sometimes, reluctantly persuaded by someone's ideas that were different than our own. I think that's what makes us a great firm.
We had a healthy debate on the merits of the monetary penalty and what I think was a quintessential Canadian experience where we can have and express divergent perspectives respectfully. I'd be interested in knowing what the imposition of Canada's first monetary penalty means to all of you in your work.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
