Marking 20 years
of bold journalism,
reader supported.
Mediacheck
Rights + Justice

Privacy Superhero Reveals Her Plan

Commissioner Jennifer Stoddart lays out her get strong, get tough agenda.

Michael Geist 25 Jan 2011TheTyee.ca

Michael Geist, whose column on digital policy and law runs every Tuesday on The Tyee, holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at [email protected] or online at www.michaelgeist.ca.

image atom
Just watch her: Canadian privacy commissioner Jennifer Stoddart.

By virtually every measure, 2010 was a remarkably successful year for Canadian privacy commissioner Jennifer Stoddart. Riding the wave of high profile investigations into the privacy practices of Internet giants Facebook and Google, Stoddart received accolades around the world, while garnering a three-year renewal of her term at home.

Last week Stoddart used her first public lecture of 2011 to put the Canadian privacy and business communities on notice that she intends to use her new mandate to reshape the enforcement side of Canadian privacy law. Speaking at the University of Ottawa, Stoddart hinted that she plans to push for order-making power, tougher penalties and a "naming names" strategy that may shame some organizations into better privacy compliance practices.

Canadian privacy law has quietly undergone some important changes in recent years. Legislation designed to implement changes to the broad-based private sector privacy law (PIPEDA) has been stuck in the slow lane, but the federal government has passed anti-spam and identity theft legislation, while several provinces have enacted health privacy and security breach disclosure reforms.

With a mandatory PIPEDA review scheduled for this year, more changes may be on the way. When the privacy law took effect in 2001, it included a promise of a review of the law every five years. During the first review in 2006, Stoddart was generally supportive of the legislation, acknowledging that it was still relatively new and in need of greater testing before undergoing dramatic change.

The past five years appears to have convinced Stoddart that the time for change has come. Noting that "too many organizations collect too much information about Canadians," she emphasized the need to beef up enforcement in order to ensure greater respect for the law.

Seeking power and penalties

Stoddart's speech indicated that the enforcement reform proposals could focus on three issues. First, she may seek order-making power, an upgrade from the current rules that limit her to releasing non-binding findings. That approach has led to resolutions of the majority of privacy complaints, but the inability to issue legally binding orders may have hurt national privacy compliance rates. Order-making power is common at the provincial level, creating a surprising disparity of legal authority between provincial privacy commissioners such as Ontario commissioner Ann Cavoukian who can issue orders and the federal commissioner who cannot.

Second, Stoddart noted that penalties for non-compliance are standard in many countries around the world but nowhere to be found within the Canadian statute. Ironically, there are potential penalties for failure to comply with a privacy investigation, yet the law leaves Stoddart without any recourse to punish wrongdoing. Given the reluctance of Canadian courts to issue damage awards for privacy violations, statutory reforms may be needed to give law both bark and bite.

Third, Stoddart is toying with the notion that her office should be empowered to name organizations that violate the law. The current statute only permits disclosure in a limited series of circumstances, meaning that most privacy violators are not named in publicly released findings.

Stoddart admitted that the secrecy may be "robbing Canadians of the educational value of some of our findings" since the public is unable to reward good privacy practices or punish bad ones if they are kept in the dark about the identity of privacy complaint targets. A naming names approach is long overdue and would at long last lift the veil of anonymity associated with privacy findings.

These enforcement issues are contentious and therefore likely to meet with stiff resistance from some in the business community. Yet with the clock running on her three-year term and the government required to review the law, there is seemingly no better time to put privacy law reform in the spotlight.  [Tyee]

Read more: Rights + Justice

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.

Do:

  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

LATEST STORIES

The Barometer

Do You Think Naheed Nenshi Will Win the Alberta NDP Leadership Race?

Take this week's poll