Canada’s Privacy Wake-Up Call

My weekly Law Bytes column (Toronto Star version, freely available version) focuses on the recent Maclean’s cover story in which a reporter obtained the personal phone records of Privacy Commissioner Jennifer Stoddart.  I argue that in a year dominated by almost daily privacy and security violations that have placed the personal information of millions at risk, that this privacy breach, which affected just one person, ranks as 2005’s most shocking incident. 

Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as "victims" of fraudulent activity and claim that a rapid response to the incident is proof that the Canada’ s privacy laws are working as intended, the reality is that Canadian law is simply ill-equipped to deal effectively with such incidents.

In light of the privacy breach, the public might naturally expect that the Privacy Commissioner of Canada has the powers to address the issue.  She does not.

The investigation will naturally focus on both the telecommunications providers that disclosed the phone records as well as the U.S.-based data broker that obtained and later sold the information.

The Privacy Commissioner has little recourse against the telecommunications providers.  Although she can investigate the incident, without possessing order-making power, the Commissioner is reduced to issuing a non-binding "finding" that must be pursued in federal court in order to levy any financial penalties. 

Indeed last week it was the CRTC that was better able to immediately address the issue.  Within days of the report, it sent a letter to the telecommunications providers demanding an internal investigation and imposing a strict 10-day deadline to furnish a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity, and new measures being taken to improve security.

The situation with respect to the U.S.-based data broker is even bleaker.  Last week the Privacy Commissioner declined to investigate a complaint against another U.S. data broker, arguing that Canada’ s privacy laws do not provide sufficient powers to investigate out-of-country operators. 

The implications of that decision are stunning, suggesting that Canadians enjoy no privacy protection for personal information that is disclosed to non-Canadian entities.  Although the Commissioner’ s interpretation of the limits of the law are subject to challenge – there is a good argument that the jurisdictional limitations on investigation should not act as a barrier to issuing a finding against a foreign entity – it is increasingly clear that Canadian law is not up to the challenge of providing effective privacy protection in a world of global data flows that do not respect national borders.

Tackling this challenge will not be easy, particularly as the Commissioner is asked to address a growing number of concerns including spam, spyware, and the threat of secret disclosures compelled by U.S. law enforcement.  A starting point, however, is to provide the Commissioner with order making power, the unquestioned ability to name the names of privacy violators, and the resources necessary to meet her mandate.

While a statutory review of Canada’ s national privacy legislation is slated for 2006, there is no need to wait for the review.  With an imminent national election call, Canada’ s political leaders should be required to answer a simple question – how are they prepared to reform Canadian law to provide meaningful privacy protection in the Internet era?


  1. I do not understand why the Privacy Commissioner position is not part of the CRTC.

    The job of the CRTC’s telecom portion is to understand the intricacies of networks and how they work, so as to regulate them in the public interest.

    You can’t regulate privacy without getting into those intricacies, and working closely with the network operators to fix them.

    Creating two regulatory bodies with an almost identical job — regulate the intricacies of networks — means that lots falls between the cracks. The CRTC, for instance, has never regarded privacy as its job … and it was right.

    It’s time to fix things. Creating a parallel CRTC in the Privacy Commissioner’s Office (and make no mistake, that is what is being proposed here) is a waste of time, a waste of money and, worst of all, a threat to effectiveness. Well don’t. Declare privacy to be in the public interest. Turn the CRTC into an agency that has to care about privacy. Seat the Privacy Commissioner within it, with special powers.

    It’s unusual and unprecedented. But it is what makes sense. Is anybody listening?

  2. Ross MacGillivray says:

    I read the above article with cynicism. A little over a year I attempted to file a privacy complaint with the CRTC against a major telecommunications provider.
    The complaint involved interference with my e-mail within the telecommunications network infrastructure.

    I called the CRTC inquiries number and was advised that the correct recourse was to file a complaint under the Pipeda Act with the Privacy Commissioner’s office.

    A little over a year later I have found that the Privacy Commissioners office had limited legislative language to deal with Privacy issues with telecommunications carriers when the violation is alleged to have occurred within the Telecommunications providers network infrastructure, and further that section 7(i) of the Telecommunications Act explicitly instructs the CRTC to pursue Privacy as a policy objective.

    Jennifer Stoddard gets the benefit of high profile investigation by the CRTC, and other citizens are effectively told to take a hike by the CRTC.

    Does the CRTC ever bother to read the telecommunications act? Hint – read section 7!

    Additionally, the Privacy Commissioner’s office accepted my complaint. Did Jenniffer Stoddard ever attempt to pursue her complaint within the Pipeda act? If she did not, then why are other citizens privacy complaints against telecommunications carriers even accepted, particularly when their own Commissioner seems to accept the futility of such complaints?

    Is either the CRTC or the Privacy Commissioner’s office bothering to read the legislation that drives their respective complaints process?