Section 17.1 of PIPEDA allows the Privacy Commissioner of Canada to resolve certain privacy-law issues through a compliance agreement instead of proceeding directly to court. This tool encourages cooperation and faster remediation of privacy problems within organizations.
What Is a Compliance Agreement?
A compliance agreement is a formal written commitment between the Privacy Commissioner and an organization. It is used when the Commissioner believes on reasonable grounds that the organization:
has committed, is about to commit, or is likely to commit an act that would violate a provision of Division 1 or 1.1 of PIPEDA, or has failed to follow one of the principles set out in Schedule 1 of the Act (for example, accountability, consent, or safeguards).
The agreement sets out specific terms to bring the organization back into compliance and prevent further violations.
Terms and Flexibility
Under subsection 17.1(2), the agreement may contain any terms the Commissioner considers necessary to ensure compliance.
These may include:
implementing or updating privacy policies, providing staff training, improving security measures, submitting progress reports, or committing to independent audits.
The goal is corrective action.
Legal Effect of an Agreement
Once a compliance agreement is signed:
The Commissioner cannot apply to the Federal Court for a hearing on the same matter under subsections 14(1) or 15(a). If any such applications are already before the Court, the Commissioner must apply for their suspension.
This means the matter is effectively paused while the organization fulfills its obligations under the agreement.
Rights That Remain
The Act makes clear that a compliance agreement does not limit:
an individual’s right to apply to the Court for a hearing under section 14, or the possibility of a prosecution for an offence under the Act.
In other words, while the Commissioner and an organization may settle through cooperation, affected individuals or prosecutors still retain their independent rights.
Leave a Reply