It is more important than ever for organizations to have appropriate privacy compliance programs in place to mitigate significant privacy related risks.

Given their statutory and fiduciary duties, the directors of an organization's board have a unique responsibility and legal duty to ensure their organization has appropriate privacy compliance programs in place to mitigate these risks. In particular, an organization's board of directors is responsible for managing the business affairs of the organization and directors are required to act honestly and in good faith with a view to the best interests of the organization and to exercise the care, diligence and skill of a reasonable person in comparable circumstances.

When it comes to privacy, this means that directors are responsible for ensuring that the organization is in compliance with privacy laws and takes appropriate steps to mitigate privacy and related risks (including cybersecurity).

An organization's failure to have appropriate privacy compliance programs in place can result in significant financial and reputational consequences. Directors may also be held personally liable in cases where they do not provide appropriate oversight to mitigate the risks of these consequences.

The following are some recent examples that illustrate the significant potential consequences for organizations and requirements for directors relating to privacy:

  • A few months ago, as part of an announced settlement with the Canadian Competition Bureau, Facebook Inc. agreed to pay a $9 million penalty plus $500,000 in costs in connection with allegations that Facebook made misleading privacy claims to its users. In particular, the Competition Bureau found that Facebook made false or misleading claims about the privacy of Canadians' personal information on Facebook and the Facebook Messenger app.
  • The recently announced Bill C-11 (the Digital Charter Implementation Act, 2020), introduces potentially significant financial consequences for organizations that are not in compliance with their privacy obligations. In particular, Bill C-11 proposes potential penalties of up to 3% of an organization's global revenues or $10 million for violations, whichever is greater. In the most serious cases, that penalty could be has high as 5% of global revenue or $25 million, whichever is greater. See our recent blog post on Canada's proposed new privacy legislation.
  • In a privacy breach involving close to 9.7 million individuals in Canada and abroad, the federal Privacy Commissioner concluded that Desjardins did not have appropriate oversight and control measures in place to protect personal information. A recent report released by the Autorité des marches financiers (AMF) relating to the incident found in that case that senior management and directors failed in the performance of their duties by not putting in place sufficiently robust governance measures and controls. [link https://lautorite.qc.ca/en/general-public/media-centre/news/fiche-dactualites/amf-orders-the-federation-to-comply-with-its-sound-and-prudent-management-obligations]

Directors can manage their responsibilities and mitigate their liabilities by taking certain key steps and ensuring that appropriate privacy compliance programs are in place. It is thus critical for directors to be properly trained and informed on and the requirements of privacy laws. We regularly provide privacy compliance training for directors and offer a number of fixed-price solutions for organizations with respect to their privacy compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.