September 19, 2013 3:27 pm

Privacy law losing relevance, commissioner says

Privacy commissioner Jennifer Stoddart is trying to protect Canadians’ privacy armed with a law she says is losing relevance. Sean Kilpatrick/The Canadian Press

This summer, we spoke with Canada’s officers of Parliament. We profile each in an eight-part series. Read them all here.

She’s taken on Google, Facebook and the owners of Winners. No small feat, considering she’s swiping at these titans with a fly swatter.

In essence, Canadian privacy laws lack incentive for companies to obey and are losing relevance, said Jennifer Stoddart, the country’s privacy watchdog.

Story continues below

The commissioner administers two federal laws—one in each the private and public sectors—pertaining to privacy and the protection of personal information.

Throughout her 10 years in this office, she has called for reforms to both, without much response from Canada’s lawmakers.

Continued pushes for reform will have to fall to the next commissioner, however, with the curtain falling on Stoddart’s appointment at the end of this year. When she exits, she will leave behind nearly 15 years in a field she said she adores and finds fascinating, yet challenging.

In 2009, Stoddart found Facebook was being too loose with its users’ personal data, breaching Canadian privacy laws on four fronts. She gave the social media giant one month to change its conduct.

The following year, Stoddart investigated Google and found it contravened the nation’s privacy laws when its Street View cars improperly collected personal information such as emails, user names, passwords and addresses from unsecured networks. The commissioner ordered the company to improve its privacy training and delete all of the inappropriately-gathered information within 15 weeks.

Both companies, more or less, met Stoddart’s recommendations. Had they not, however, her only recourse would have been to take them to Federal Court.

Chocolate vs. privacy

This watchdog’s office is one without enough bite, a fact Stoddart will be the first to admit.

“In a few words, there aren’t enough incentives,” she said of the the law governing the private sector, the Personal Information Protection and Electronic Documents Act. “It doesn’t really do anything to deter those who want to misuse Canadians’ privacy, and therefore doesn’t give a marginal advantage to the many corporations that are protecting Canadians’ privacy.”

Stoddart is looking for the ability to slap corporations with heavy fines.

“If you’re deliberately launching a product that’s misusing peoples’ personal information, collecting their personal information or, indeed as one company was doing, spying on people who rent laptops, there should be some sort of sanction,” she argues.

Jennifer Stoddart, privacy commissioner, appears at Commons ethics committee to discuss her 2012 annual report. Sean Kilpatrick/the Canadian Press

As it stands, the office can launch an investigation after receiving a complaint. If the investigation reveals a company was breaking the law, the legislation is written in such a way that if the company comes to an understanding with the commissioner’s office, then that’s that.

“So in fact, you can behave badly knowing that if something bad happens and this comes to our attention, then you have time to change your ways,” she said. “I don’t think that’s the way, in this fast-moving world, to protect Canadians’ privacy.”

To put the issue in perspective, Stoddart offered a recent case in which the competition bureau released its findings of an investigation into price fixing for chocolate products. In that case, the heads of several leaders in the candy industry, including Nestlé Canada Inc. and Mars Canada Inc., face penalties up to $10 million and/or five years in prison.

“We’re talking about chocolate bars,” Stoddart said. “This is for fixing the price of chocolate bars. How much more important is Canadians’ privacy? And yet there’s no real sanction for misusing it.”

Many countries with privacy laws similar to those in Canada are able to impose fines, including the United Kingdom, Ireland, France and Holland, she said.

Last year in the United States, the Federal Trade Commission levied a $22.5 million fine on Google for breaching the privacy of millions of Apple users. In stark contrast, when Stoddart found the same company breaking Canadian law, the Internet giant simply had to say they’ll fix their mistake and do better next time.

Some of the amendments and updates Stoddart has called for her legislation, she says, would give her office sharper teeth and a stronger bite. But lawmakers aren’t moving much.

She and her predecessors have tried for years to bring the shortfalls of the badly outdated Privacy Act to the government’s attention.

Government access to personal info

This act applies to hundreds of federal departments and agencies—the institutions that arguably have the greatest access to Canadians’ personal information—ensuring they respect privacy rights by regulating how they collect, store, use and disseminate personal information.

But the act came into effect in 1983, before government business was conducted on computers and online at the rate it is today.

Late last year, a hard drive containing the names, birthdays, social insurance numbers, addresses and student loan balances of nearly 600,000 Canadians was lost from the offices of Human Resources and Skills Development Canada.

It was later revealed, through documents tabled in the House of Commons, that data breaches occurred in federal departments at an alarming rate between 2002 and 2012, affecting hundreds of thousands Canadians. A majority of these breaches were never reported to the privacy commissioner.

Stoddart recently recommended 12 reforms to the Privacy Act, including legislating security breach notification requirements and strengthening the means by which personal information is protected within the federal government. None of the recommendations have gone through.

Although she received positive feedback from some MPs on the parliamentary committee to which her office reports, the government didn’t seem interested in moving forward on privacy reform, Stoddart said.

“I’m hopeful that in the mandate of the next commissioner this will happen,” she said.

“It’s a law that’s 30 years old. I won’t say it’s outlived its usefulness, but it’s outlived some of its relevance.”

Once her successor takes over, he or she will inherit an office in much better shape than what was left for Stoddart. The behaviour of her predecessor, George Radwanski, sparked four investigations into the office, including one by the auditor general and another by the Public Service Commission.

Radwanski was accused of excessive spending, racking up hundreds of thousands of dollars in travel and hospitality expenses. Under attack from a Commons committee, he eventually resigned in 2003, less than half-way through his seven-year mandate.

After Stoddart took over, it was three years before the office regained the trust of the public service commissioner and was able to conduct its own hirings.

So by the end of her initial seven-year term in 2010, Stoddart felt she hadn’t given enough time to privacy since so much was absorbed by the investigations and rebuilding the office.

And the field was just too alluring for her to have left without really digging into it.

“I find it a fascinating field. It’s just amazing,” she said. “Everything you do and read, the decisions you have to take, the trends you watch, both in society and technology.”

By her final day in Ottawa, Stoddart will have spent almost 15 years making those decisions and watching those trends evolve on almost a daily basis.

“When I first came in, the world was a far different place,” she said, highlighting the lack of WikiLeaks, Facebook, smartphones and a far less pervasive Internet.

“Things are changing, not even every week, but every day. We’re all, I think, paddling to keep up.”

© Shaw Media, 2013

Report an error

Comments