By virtually every measure, 2010 was a remarkably successful year for Canadian privacy commissioner Jennifer Stoddart. Riding the wave of high profile investigations into the privacy practices of Internet giants Facebook and Google, Stoddart received accolades around the world, while garnering a three-year renewal of her term at home.
My regular technology law column (Toronto Star version, homepage version) notes that last week Stoddart used her first public lecture of 2011 to put the Canadian privacy and business communities on notice that she intends to use her new mandate to reshape the enforcement side of Canadian privacy law. Speaking at the University of Ottawa, Stoddart hinted that she plans to push for order making power, tougher penalties, and a â€œnaming namesâ€ strategy that may shame some organizations into better privacy compliance practices. Canadian privacy law has quietly undergone some important changes in recent years. Legislation designed to implement changes to the broad-based private sector privacy law (PIPEDA) has been stuck in the slow lane, but the federal government has passed anti-spam and identity theft legislation, while several provinces have enacted health privacy and security breach disclosure reforms.
With a mandatory PIPEDA review scheduled for this year, more changes may be on the way. When the privacy law took effect in 2001, it included a promise of a review of the law every five years. During the first review in 2006, Stoddart was generally supportive of the legislation, acknowledging that it was still relatively new and in need of greater testing before undergoing dramatic change.
The past five years appears to have convinced Stoddart that the time for change has come. Noting that â€œtoo many organizations collect too much information about Canadians,â€ she emphasized the need to beef up enforcement in order to ensure greater respect for the law.
Stoddart’s speech indicated that the enforcement reform proposals could focus on three issues. First, she may seek order making power, an upgrade from the current rules that limit her to releasing non-binding findings. That approach has led to resolutions of the majority of privacy complaints, but the inability to issue legally binding orders may have hurt national privacy compliance rates. Order making power is common at the provincial level, creating a surprising disparity of legal authority between provincial privacy commissioners such as Ontario commissioner Ann Cavoukian who can issue orders and the federal commissioner who cannot.
Second, Stoddart noted that penalties for non-compliance are standard in many countries around the world but nowhere to be found within the Canadian statute. Ironically, there are potential penalties for failure to comply with a privacy investigation, yet the law leaves Stoddart without any recourse to punish wrongdoing. Given the reluctance of Canadian courts to issue damage awards for privacy violations, statutory reforms may be needed to give law both bark and bite.
Third, Stoddart is toying with the notion that her office should be empowered to name organizations that violate the law. The current statute only permits disclosure in a limited series of circumstances, meaning that most privacy violators are not named in publicly-released findings.
Stoddart admitted that the secrecy may be â€œrobbing Canadians of the educational value of some of our findingsâ€ since the public is unable to reward good privacy practices or punish bad ones if they are kept in the dark about the identity of privacy complaint targets. A naming names approach is long overdue and would at long last lift the veil of anonymity associated with privacy findings.
These enforcement issues are contentious and therefore likely to meet with stiff resistance from some in the business community. Yet with the clock running on her three-year term and the government required to review the law, there is seemingly no better time to put privacy law reform in the spotlight.