The reports from @PrivacyPrivee ( https://priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2020/pipeda-2020-005/) and @CAI_Quebec ( https://www.cai.gouv.qc.ca/communique-cai-decision-enquete-desjardins/) into the #Desjardins data breach were released today. Bottom line - a major failure or internal security safeguards. @uOttawaTechLaw
What might be different if #BillC11 were in effect? The Commissioner could recommend the imposition of a monetary penalty. The new Data Tribunal would hold a hearing to decide if a penalty should be imposed - and penalties can be substantial. But...
Penalties are "to promote compliance with the Act and not to punish" (s. 94(6)), and the Findings say the complaint is conditionally resolved by the company's willingness to comply with the Comm'r's recommendations.
So this may not be the type of conduct for which penalties were intended. Of course, the class action lawsuits will be brutal - with or without C-11.