Naming & shaming: Understanding the implications of privacy complaints
As a privacy strategist, I was consulted by a company that received a Notice from the Office of the Privacy Commissioner of Canada (“OPC”). The Notice outlined that someone had filed a complaint against the company. The company felt the complaint was frivolous. Perplexed by the ordeal, the company reached out to me with a burning question: why would someone bother filing a complaint with a privacy regulator, especially if the complaint seemed frivolous?
The company was convinced that the complainant had ulterior motives, perhaps seeking monetary compensation. To their surprise, they learned that, contrary to popular belief, complainants don't receive financial rewards if their grievances are deemed valid by the privacy regulator.
Of course, this led them to ask the next obvious question: Why anyone would go through the trouble of filing a complaint with the OPC, especially if it appears baseless? The answer is simple: to name and shame.
Behind every complaint lies a sense of injustice or wrongdoing felt by the complainant. The OPC provides individuals with an avenue to file a complaint when they feel their privacy was breached. In many cases, the complaint is justified and so are the OPC’s investigation and resultant regulatory orders. This process has resulted in many positive changes in protecting consumers’ privacy.
However, when a frivolous complaint is filed, even if the OPC finds the complaint to be unsound, there may be some residual implications for the company, as discussed below.
Once a complaint is filed, the OPC may investigate it to determine if the individual’s privacy rights have been contravened. The OPC will conduct an objective, fair, and impartial investigation to resolve the complaint and prevent contraventions from recurring.
Depending on the complaint, the OPC will gather relevant evidence to investigate the matter. This includes conducting interviews, requesting and reviewing relevant documents such as policies and procedures, all of which are at the OPC’s discretion. The OPC will inquire about how those policies and procedures are operationalized and implemented in the company's day-to-day operations, and who is monitoring and enforcing those practices. While the investigation will be focused on the complaint and topics relevant thereof, privacy compliance is not compartmentalized – meaning pillars of your Privacy Program bleed into one another and therefore the investigation can become a bit of a slippery slope. For example, if someone complains about the collection of their sensitive personal information, the OPC will not just look at what information the company collects and the purpose for collecting such information, but there is a good chance they will also look into the company’s retention policies, retention schedules, and the implementation of the documented retention practices. This is one example of how the investigation can lead the OPC to ask questions peripheral to the complaint.
As no company is 100% compliant, it will not be difficult for the OPC to identify a gap in the company’s Privacy Program. In other words, the commencement of an investigation can open up a can of worms for a company – all because of one complaint by a disgruntled individual – which of course can be an employee, customer, consumer rights group, reporter, etc.
If the complaint is substantiated or well-founded, the OPC will prepare a Report of Findings that includes a summary of both sides of the investigation, its findings and recommendations, any agreements reached between the parties, the timeline by which remediation will take place, and the recourse, if any, that is available to the Federal Court.
Depending on the issue at hand (e.g. whether it’s a novel privacy issue) or the industry the company is in (e.g. one that is highly regulated), the Report of Findings may be made public, not only on the OPC website but also in the media. This of course can have devastating consequences to a company. The repercussions extend far beyond mere inconvenience; there are financial implications, business disruptions, and PR nightmares to contend with.
So, how can companies avoid being dragged into the spotlight of shame – either through a sound or frivolous complaint? The key lies in proactive preparation. Maintain an effective Privacy Program with regularly updated policies and procedures. Ensure that your Privacy Program is not just a document gathering dust on a shelf but is actively enforced and operationalized throughout your organization. Designate a Privacy Officer to be accountable for privacy in the business. If you are a company operating in Quebec and you do not have a Privacy Officer, by default, the CEO or President will be designated the Privacy Officer. Your Privacy Officer should be aware of all the personal information processing activities handled by the company and manage the potential risks through Privacy Impact Assessments.
Every decision made within a company should be viewed through the lens of potential regulatory scrutiny. In today's digital age, where privacy concerns loom large, complacency is a luxury no business can afford.
Contrary to popular belief, a business does not need to be a tech giant like Meta or Google to attract the attention of regulators. All it takes is one disgruntled individual to set the wheels of investigation in motion.
While the OPC cannot issue fines (as yet), the repercussions from a privacy complaint and resultant investigation can be more costly than a simple fine and can impact the company for years to come.