This enactment amends the Personal Information Protection and Electronic Documents Act to expand the grounds on which the Privacy Commissioner may decide not to investigate a complaint. It also authorizes the Privacy Commissioner to make orders directing an organization to take any action that, in the Commissioner’s opinion, is reasonable to ensure compliance with the organization’s obligations under the Act. Finally, this enactment provides that an organization that is found to have failed to comply with certain obligations under the Act is liable to a fine.

Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

• Start of inserted block

  (d) having regard to all the circumstances, an investigation is not necessary or reasonably practicable.

  End of inserted block

• (f) any of the circumstances mentioned in paragraphs 12(1)‍(a) to ( Insertion start d Insertion end ) apply; or

Compliance Orders

Compliance orders

12.‍3 (1) On completing an investigation, if the Commissioner is of the opinion that the organization that is the object of the investigation has contravened a provision of Division 1 or 1.‍1 or has not followed a recommendation set out in Schedule 1, he or she may, by order, direct the organization to do, or to refrain from doing, anything that, in the Commissioner’s opinion, is reasonable and necessary in order to ensure compliance with Division 1 or 1.‍1 or Schedule 1.

Conditions

(2) The Commissioner may specify any conditions in the order that he or she considers appropriate.

Copy of order

(3) The Commissioner shall give a copy of the order to the organization concerned and, if the investigation was conducted in respect of a complaint filed by an individual, to that individual.

Compliance

(4) The organization shall comply with the order within the period specified by the Commissioner in the order or, on written application by the organization within the specified period, within any longer period that the Commissioner considers reasonable in the circumstances.

Effect of filing

(5) An order of the Commissioner under subsection (1) becomes an order of the Court when a certified copy of it is filed in that court, and it may subsequently be enforced as such.

Contents

13 (1)  Insertion start If Insertion end the Commissioner Insertion start decides not to make an order under subsection 12.‍3(1) in respect of a matter that is the object of an investigation, he or she Insertion end shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that contains

Application

14 (1) A complainant may, after receiving the Commissioner’s report, Insertion start being notified under subsection 12(3) of a decision under paragraph 12(1)‍(d) that the complaint will not be investigated Insertion end or being notified under subsection 12.‍2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.‍1.‍3, 4.‍2, 4.‍3.‍3, 4.‍4, 4.‍6, 4.‍7 or 4.‍8 of Schedule 1, in clause 4.‍3, 4.‍5 or 4.‍9 of that Schedule as modified or clarified by Division 1 or 1.‍1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.‍1.

Compliance

18 (1) The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization Insertion start to verify compliance or prevent non-compliance with the provisions Insertion end of Division 1 or 1.‍1 Insertion start or the recommendations Insertion end set out in Schedule 1, and for that purpose may

Offence and punishment — organization

28.‍1 (1) Every organization that knowingly or recklessly contravenes section 5 is guilty of

• (a) an offence punishable on summary conviction and liable to a fine not exceeding $15 million; or

• (b) an indictable offence and liable to a fine not exceeding $30 million.

  End of inserted block

Aggravating or mitigating factors

(2) In determining the amount of a fine to be imposed under subsection (1), the court shall consider the following:

• (a) the size, resources and capacity of the organization;

• (b) the nature, gravity and duration of the contravention, taking into account the nature, scope or purpose of the organization’s activities as well as the number of individuals affected and any loss or damage suffered by them as a result of the contravention;

• (c) any measures taken by the organization to mitigate the loss or damage suffered by the individuals;

• (d) the history of compliance with this Act by the organization;

• (e) the extent to which the organization has cooperated with the Commissioner to remedy the contravention and mitigate its adverse effects;

• (f) the nature of the personal information in relation to which the offence was committed; and

• (g) any other relevant factor.

  End of inserted block