Complaint and sanctions
The Privacy Commissioner's Office is notably responsible for ensuring PIPEDA compliance and can as such receive complaints, intervene through a process of investigation and issue compliance reports. If the Commissioner's Office if of the view that an organization contravenes its obligations regarding data security measures, it may report this information to the Attorney General of Canada who may take any action deemed appropriate. The organization could then, in addition to having to rectify its practices, be fined.
It is interesting to note that the coming into force of these Canadian provisions is in line with the regime established by the General Data Protection Regulation (GDPR) in Europe, which came into effect last May. We can see therefore, that the privacy principles that were already in place remain here, as elsewhere, but that they become subject to disclosure and record-keeping requirements by organizations. These obligations tend also to be subject to an increasingly coercive nature, which is obviously intended to increase the importance that organizations must attach to the protection of individuals' data.
In short, regardless of their size, all organizations that collect, manage, use and/or retain personal information in Canada are required to comply with all applicable laws regarding the collection, processing and protection of personal information. Should you wish to know more about your privacy obligations or wish to be assisted on this matter, please contact Ms. Sophie Deschênes-Hébert.