Canadian regulators bemoan inability to apply GDPR-style fines

(Canada) Canadian privacy regulators are frustrated at the inability to apply large financial penalties to companies that violate Canadian data privacy law, pointing out the case of AggregateIQ which is a company linked to the Cambridge Analytica investigation. The Globe and Mail reports as follows:

A small B.C. [British Colombia, Canada] company involved in a scandal that saw the personal information of millions of voters illicitly collected for the purpose of shaping political events around the world will not face financial penalties in Canada for its misuse of data.

A joint investigation by the privacy commissioners of British Columbia and Canada concluded AggregateIQ (AIQ) broke domestic privacy laws, shaking Canadians’ confidence in the political campaign system.

But BC Privacy Commissioner Michael McEvoy expressed frustration that he could not levy a fine, unlike regulators in the United States and the European Union.

“It is the kind of case where we would have looked at monetary penalties to be administered on a company,” Mr. McEvoy said. “This is an area where Canada is in serious need of reform. In Europe, under the privacy regulation there, companies can be fined significant, significant amounts of money which act as a real deterrent.”

AIQ is linked to the political consulting company Cambridge Analytica. Both agencies were co-founded by Canadian Christopher Wylie, who later emerged as the whistle-blower who revealed that the personal information of up to 87 million Facebook users globally may have been improperly used to influence elections.

(Privacy press clipping sourced via The Globe and Mail)
Jurisdiction: Canada

Key takeaways:


  • Canadian data privacy regulator, Michael McEvoy, has expressed frustration on the inability – under existing legislation – to levy significant fines upon companies that breach privacy rules. Michael McEvoy is British Colombia’s Privacy Commissioner and his office has made findings that AggregateIQ violated Canadian privacy laws.

  • Michael McEvoy has called for legislative changes in Canada to strengthen privacy law and create an ability for regulators to levy dissuasive fines. He would have in mind the fines available under the GDPR. While others have called for the same thing, it is not clear whether this is a realistic near-term expectation. The fallout of the Cambridge Analytica scandal, however, may present as good a case as any for action in this area by the government.

  • As a result of what some would call weak privacy laws, AggregateIQ will not be fined under existing arrangements in Canada for its part in the Cambridge Analytica operations on Facebook. By contrast, in the United States, the “U.S. Federal Trade Commission and Facebook [have] said the social-media company will pay a record-breaking US$5-billion fine to resolve a government probe triggered by the Cambridge Analytica case.” This is the biggest fine in our database at dataprivacyfines.com at the present time.

Leave a Reply

Your email address will not be published. Required fields are marked *