|
I posted
last week about the growing frustration over usage based billing
practices in Canada. To no one's surprise, yesterday the CRTC released
its decision that confirms the practice that is likely to spell the end
of unlimited Internet access from most ISPs in Canada. Coverage
from
the Globe,
Ars
Technica, and Peter
Nowak.
Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday January 26, 2011 |
|
|
The CRTC has reaffirmed
its support
for the Commissioner for Complaints for Telecommunications Services
(CCTS), an agency that works to resolve disagreements between Canadians
and their service providers. I wrote
about the CCTS last year.
Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday January 26, 2011 |
|
By virtually every measure, 2010 was a remarkably successful year for Canadian privacy commissioner Jennifer Stoddart. Riding the wave of high profile investigations into the privacy practices of Internet giants Facebook and Google, Stoddart received accolades around the world, while garnering a three-year renewal of her term at home.
My regular technology law column (Toronto Star version, homepage version) notes that last week Stoddart used her first public lecture of 2011 to put the Canadian privacy and business communities on notice that she intends to use her new mandate to reshape the enforcement side of Canadian privacy law. Speaking at the University of Ottawa, Stoddart hinted that she plans to push for order making power, tougher penalties, and a “naming names” strategy that may shame some organizations into better privacy compliance practices. Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday January 26, 2011 |
|
View
|
|
stoddartcolumn
Appeared
in the Toronto Star on January 23, 2011 as Empower Privacy Watchdogs to
Enforce Laws, Name Offenders
By virtually every measure, 2010 was a remarkably successful year for
Canadian privacy commissioner Jennifer Stoddart. Riding the wave
of high profile investigations into the privacy practices of Internet
giants Facebook and Google, Stoddart received accolades around the
world, while garnering a three-year renewal of her term at home.
Last week Stoddart used her first public lecture of 2011 to put the
Canadian privacy and business communities on notice that she intends to
use her new mandate to reshape the enforcement side of Canadian privacy
law. Speaking at the University of Ottawa, Stoddart hinted that
she plans to push for order making power, tougher penalties, and a
“naming names” strategy that may shame some organizations into better
privacy compliance practices.
Canadian privacy law has quietly undergone some important changes in
recent years. Legislation designed to implement changes to the
broad-based private sector privacy law (PIPEDA) has been stuck in the
slow lane, but the federal government has passed anti-spam and identity
theft legislation, while several provinces have enacted health privacy
and security breach disclosure reforms.
With a mandatory PIPEDA review scheduled for this year, more changes
may be on the way. When the privacy law took effect in 2001, it
included a promise of a review of the law every five years.
During the first review in 2006, Stoddart was generally supportive of
the legislation, acknowledging that it was still relatively new and in
need of greater testing before undergoing dramatic change.
The past five years appears to have convinced Stoddart that the time
for change has come. Noting that “too many organizations collect
too much information about Canadians,” she emphasized the need to beef
up enforcement in order to ensure greater respect for the law.
Stoddart’s speech indicated that the enforcement reform proposals could
focus on three issues. First, she may seek order making power, an
upgrade from the current rules that limit her to releasing non-binding
findings. That approach has led to resolutions of the majority of
privacy complaints, but the inability to issue legally binding orders
may have hurt national privacy compliance rates. Order making
power is common at the provincial level, creating a surprising
disparity of legal authority between provincial privacy commissioners
such as Ontario commissioner Ann Cavoukian who can issue orders and the
federal commissioner who cannot.
Second, Stoddart noted that penalties for non-compliance are standard
in many countries around the world but nowhere to be found within the
Canadian statute. Ironically, there are potential penalties for
failure to comply with a privacy investigation, yet the law leaves
Stoddart without any recourse to punish wrongdoing. Given the
reluctance of Canadian courts to issue damage awards for privacy
violations, statutory reforms may be needed to give law both bark and
bite.
Third, Stoddart is toying with the notion that her office should be
empowered to name organizations that violate the law. The current
statute only permits disclosure in a limited series of circumstances,
meaning that most privacy violators are not named in publicly-released
findings.
Stoddart admitted that the secrecy may be “robbing Canadians of the
educational value of some of our findings” since the public is unable
to reward good privacy practices or punish bad ones if they are kept in
the dark about the identity of privacy complaint targets. A
naming names approach is long overdue and would at long last lift the
veil of anonymity associated with privacy findings.
These enforcement issues are contentious and therefore likely to meet
with stiff resistance from some in the business community. Yet with the
clock running on her three-year term and the government required to
review the law, there is seemingly no better time to put privacy law
reform in the spotlight.
Michael Geist holds the Canada
Research Chair in Internet and E-commerce Law at the University of
Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online
at www.michaelgeist.ca.
Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday January 26, 2011 |
|
|
