Second appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on Privacy and Social Media

December 11, 2012
Ottawa, Ontario

Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Mr. Chair and Honourable Members, I want to thank you for the invitation to appear again before Committee at the end of your study.  I am joined today by Chantal Bernier, Assistant Privacy Commissioner, and Barbara Bucknell, Strategic Policy Analyst, from my Office.

Overview of privacy challenges

Over the past several months, you have heard from an array of interested parties on the benefits and privacy challenges of social media.  When I first appeared, I noted the four areas where we had the most concern in terms of privacy protections.  These were: accountability; meaningful consent; limiting use; and retention. 

It is noteworthy that the witnesses who appeared before you have largely agreed that these areas are challenged by social media.  Where they tended to differ was on the adequacy of the tools available to address the problems.  Also noteworthy was the extent to which children and youth privacy permeated the discussions.  Many interesting ideas were put forth with respect to digital literacy as well as possible legislative responses. 

I would like to commend the Committee for its insight in holding such a relevant study. 

Enforcement Powers

Today, I want to address the key comments that have emerged from your hearings.

The most important question put forward throughout the study was whether PIPEDA is up to the task of handling the challenges brought about by changing technology.

Most witnesses felt that PIPEDA needs to be modernized; others took the position that PIPEDA does not need to be changed, that its enforcement model works and that its technology neutral character is its strength. 

In my view, with the emergence of Internet giants, the balance intended by the spirit and letter of PIPEDA is at risk. 

The quasi-monopoly of these multinationals has made PIPEDA’s soft approach, based on non-binding recommendations and the threat of reputation loss, ineffective. 

We have seen organizations ignore our recommendations until the matter goes to Court, and we have seen large corporations, in the name of consultation with my Office, pay lip service to our concerns and then ignore our advice.   

Moreover, with vast amounts of personal information held by organizations on increasingly complex platforms, the risk of significant breaches and of unexpected, unwanted or even intrusive uses of that information calls for commensurate safeguards and financial consequences not currently provided for in PIPEDA.  New incentives, including changes to the enforcement model, are required to encourage organizations to be proactive, to build up-front protections, and to ensure secure treatment of individuals’ personal information.

I agree with the witnesses who stated that PIPEDA’s strength is that it is technology neutral and principles based.  These are characteristics that must remain. 

I also agree – at least in part – with those who noted my Office’s success in bringing organizations into better compliance with the law.  We have made use of the tools the law provides, and I acknowledge that we have been able to effect some change – but often after an arduous effort.  That effort comes at high cost to Canadians and is less and less effective against powerful, multinational companies.

You heard the argument that my Office cannot be “judge, jury and executioner”.  In response, I would point you to some of my international and provincial counterparts.  The U.K. Commissioner can issue fines, as can a number of the international data protection authorities listed in the document I have tabled today. 

In the UK, stronger enforcement powers have not precluded an ombudsman approach and, where appropriate, fines are issued where a softer touch has failed.  Our UK counterparts tell us that businesses that invest in good privacy from the start feel it is only fair to impose a financial burden on those who do not, in order to even the playing field. 

My fellow Commissioners in Quebec, Alberta and British Columbia have order-making powers and jurisdiction over the private sector.  They also have other functions, prescribed in legislation, that enable them to perform multiple roles, such as, educator; adjudicator; enforcer; advocate and so on.  I note witnesses before this Committee described the positive relationship they have developed with them.

You have heard that Canada’s model is one that many around the world look to.  What others find positive about our law is that it does not single out sectors and is non-prescriptive.  Yet, given that many of my international counterparts either have stronger enforcement tools or are requesting them, it is not our enforcement model that they are admiring. 

Indeed, I worry that if my counterparts continue to gain stronger powers, but Canada does not, Canada will fall behind in inspiring consumer confidence needed for the digital economy to thrive. 

At a minimum, we must start with mandatory breach notification – including financial consequences for egregious cases.  Increasingly, other countries are implementing such legislation.  Such requirements would reinforce accountability and, with penalties, provide financial incentives to better protect Canadians’ personal information.  Such penalties should be flexible and adaptable to circumstances so as not to unduly burden smaller organizations.

Digital Literacy

Another key theme that has emerged from your hearings is the importance of digital literacy.  I believe the moment has come for governments, educators, and our communities to seriously focus attention on the digital education of Canadians of all ages. 

Such an effort must address broader societal and ethical issues that are raised by new information technologies but which fall outside data protection law per se.

People need to understand that information on the Internet can live on forever and that they should be careful about what they post about themselves and others.

That being said, digital literacy does not absolve companies of their obligations under privacy law. 


In conclusion, given the global nature of today’s digital economy, Canada’s federal law needs enforcement powers comparable to those in other jurisdictions.  That is the way to have the greatest impact on privacy protection and improve Canadians’ confidence in the online environment. 

A law that dates back to a time before social networks and smart technologies were created cannot remain static.  The ways in which personal information in this environment can be collected and used by many players makes a formal study of the effectiveness of our privacy framework even more pressing.  I strongly urge Parliament to move forward, as quickly as possible, with a review of the legislation.

And with that, I am happy to take your questions.

Date modified: