OPC's resumé of the report, Powers and Functions of the Ombudsman in the Personal Information Protection and Electronic Documents Act: An Effectiveness Study

February 2011


BACKGROUND

  • In April, 2009, the Office engaged Lorne Sossin and France Houle (“the authors”) to perform a legal and policy analysis of the effectiveness of PIPEDA as a model for regulating the personal information management practices of the private sector.
  • Specifically, the authors were asked to examine the genesis of the legislation and its history to date; review the existing structure and powers of the Office of the Privacy Commissioner (“the Office”); assess the extent to which the existing powers have been employed and ascertain the related impact on ensuring compliance with the law.
  • This analysis culminated in six recommendations regarding future reforms.

OVERVIEW

  • The Report gives the Office's current ombuds model a mixed grade in relation to its ability to effectively promote compliance with PIPEDA.  The authors note that “there is a basis both to confirm that the OPC's ombudsmodel is a success, which has had a concrete and significant impact on the goals set out in PIPEDA, and to suggest that the OPC remains constrained from fulfilling its mandate under PIPEDA” as a result of its current institutional structure (95).
  • With the existing suite of tools at its disposal, the authors conclude that the Office has effectively enhanced compliance with PIPEDA by working with large industry sectors such as banking and insurance, building trust across the private sector, providing guidance on the interpretation and application of PIPEDA, responding to complaints, inquiries and concerns, raising awareness of PIPEDA and generally enhancing the profile of privacy issues.
  • However, the authors conclude that the Office has been less effective in promoting compliance with PIPEDA through these activities where small and medium sized businesses are concerned.  The more limited success the Office has had promoting compliance with PIPEDA by small and medium sized businesses is attributed, in part, to the existing ombuds model.  According to the authors, data from provincial enforcement of privacy legislation suggests that it is only the threat of penalties which will affect the “bottom line” of small and medium sized businesses that will lead to a change in these businesses' behaviour.
  • Non-compliance by small and medium sized businesses is a particularly important issue because compliance rates are low while the risk to personal information is particularly high.
  • The authors' conclusions with respect to the effectiveness of the current ombuds model in promoting compliance with PIPEDA resulted in the identification of several areas for reform, most notably with respect to order-making power and the authority to impose financial penalties for non-compliance.
  • The authors made the following recommendations:
    1. Conduct research into the specific challenges for privacy protection posed by Web 2.0 and whether the existing ombuds model is capable of meeting these challenges;
    2. Continue to use current powers and leverage under the ombuds model to target small and medium sized businesses for outreach, education and the adoption of incentives for compliance;
    3. Acquire targeted and limited power to make orders, including the imposition of fines and penalties;
    4. Obtain explicit guideline making power (which can mitigate the risks associated with greater order-making power);
    5. Use existing powers and tools to creatively adapt and respond to privacy challenges;
    6. Adopt a clearer strategic planning approach in relation to activities under PIPEDA.

DETAILED SUMMARY

Why was an ombuds model originally chosen?

  • When PIPEDA was enacted, government was wary of prematurely forceful intervention in the regulation of Internet commence.  The Internet was a novel and largely unknown technology and regulatory programs were not seen as efficient instruments for remedying weaknesses in the market.  However, government had to act because there was strong pressure to coordinate actions and harmonize norms.
  • Fostering the circulation of information to support the development of electronic commerce in a knowledge-based economy while ensuring consumer confidence were the government's key goals.
  • At the time PIPEDA was enacted, there was limited discussion about the most appropriate institutional model for guaranteeing the effective application of PIPEDA.  The authors note that the choice of an ombudsmodel appeared to be motivated by a desire to save money and avoid the proliferation of bureaucracies; a desire for the flexibility an ombuds model offered with respect to ensuring a uniform and harmonized application of law in a complex legal and constitutional environment; the model's ability to be responsive to the complexities of businesses through consultation, conciliation and negotiation; and a desire to reduce regulatory burden on business (10).
  • The characteristics typically associated with an ombuds model – namely an absence of coercion; a preference for consensus-building; flexibility; confidentiality; independence from government; absence of binding orders, sanctions or other remedial powers; accessibility; responsiveness to parties' needs – were in keeping with the government's regulatory goals when PIPEDA was enacted (11).
  • The report concludes that “the OPC's Ombuds model was the result of a policy compromise whose ultimate form was, in part, a response to concerns in the private sector about intrusive and costly regulation, and a response to growing political concerns over the vulnerability of personal information in the private sphere” (96).

Merging a new private sector mandate with the OPC's existing public sector mandate

  • Consistent with the fact that there was little meaningful discussion about the institutional structure of the institution charged with interpreting and applying the new private sector privacy mandate under PIPEDA, the Report also notes that the inclusion of a private sector mandate within the same institution responsible for privacy issues in the public sector was little discussed.
  • Combining public and private sector privacy mandates can facilitate the sharing of institutional expertise and limit the risk of normative inconsistency in a context in which shared privacy norms span both the public and the private sector.
  • However, critics of this dual mandate question why an Officer of Parliament, intended to be Parliament's “right hand” with respect to privacy matters in the public sector, should also be responsible for the private sector since oversight of the private sector does not fall within mandate of Parliament.
  • The Report notes that the Office's dual mandate makes any discussion of enhanced powers under PIPEDA more complex as “[i]t would be difficult to reconcile the idea that within a single agency – the Office of the Privacy Commissioner – there can co-exist within a single person an Ombudsman responsible for enforcing the Privacy Act and a decision-maker responsible for ruling on violations of and ordering penalties under PIPEDA, without the legitimacy of the differing treatment being constantly challenged, thereby undermining the institution's credibility over the long term. This is particularly true if the statutory violations committed by the government and the private sector were to be essentially of the same nature” (p. 40)
  • The authors identify two options for addressing the disparity introducing order-making powers in the private sector context would introduce between the Office's public and private sector mandates:
    • Merge the two legislative regimes into one, which would treat statutory infractions the same way whether they are committed by the public or private sector, and provide OPC with financial and human resources to implement this new mandate;
    • Create two separate agencies to regulate the public and private sector respectively, which would be more institutionally coherent with Canadian norms in that the task of overseeing private sector matters normally falls to decentralized organizations without a corresponding mandate over public sector institutions.

The Office's current powers

  • Like a classical ombudsman, the Office has been granted broad investigative powers, which the Report notes are moderated by the non-binding nature of its decisions.
  • The Report highlights the following suite of compliance and enforcement tools currently at the Office's disposal:
    • Investigating complaints and issuing reports with recommendations to remedy issues as appropriate;
    • Pursuing legal action before the Federal Court;
    • Conducting audit and review activities and publicly reporting on the findings;
    • Conducting privacy impact assessments;
    • Providing legal and policy analysis and expertise to assist Parliament protect Canadians' privacy rights;
    • Responding to inquires of Parliamentarians, Canadians and businesses;
    • Promoting public awareness and compliance  through research, outreach and public education activities;
    • Providing legal opinions and conducting litigation to advance the interpretation and application of the law;
    • Monitoring trends in privacy practices and promoting best practices; and
    • Working with privacy stakeholders in other jurisdictions to address cross-border privacy issues.
  • The authors identify the Office's power to report to Parliament and, consequently, the media as a fundamental and extraordinary power through which the Commissioner, as an agent of Parliament “can make a real contribution to the effective operation of the parliamentary system” (p. 38)
  • The authors identify the Commissioner's additional power to disclose information in the public interest under her private sector mandate as critical to the effectiveness of the Office: “In its dealings with large multinational technology companies such as Google or Facebook, attracting media attention is as important for the OPC's effectiveness as any regulatory powers it might attempt to exercise against such companies” (62).
  • There is only passing mention of the Office's current authority to initiate and participate in hearings before the Federal Court and its role in promoting and enforcing compliance with PIPEDA.  The authors are critical of the role court action can play in enforcing compliance, identifying it as “the only, and unfortunately, inefficient, means by which the OPC may now have an order enforced”(100).

Effectiveness of Current model

  • The Report concludes that it is impossible to draw informative conclusions about the effectiveness of the Office or its institutional structure from statistics related to numbers of inquiries, complaints, etc. as these statistics can be interpreted in a myriad of ways (55).
  • The Commission of European Communities' assessment of the effectiveness of PIPEDA identified the Office's institutional structure and enforcement powers as a strength: “the Commission commended the OPC's independence and powers, as complainants have recourse to the Federal Court where their privacy has been violated compensating, in their view for the Commissioner's lack of enforcement powers” (83).
  • The Report notes that the Office's structure is a theoretically strong vehicle for promoting effectiveness when viewed from lens of cooperative legalism, a framework that supports both a desire for greater enforcement and a preference for broader self-regulation (84).
  • The Report concludes, however, that the Office has been less successful in achieving its agenda with respect to the medium and, in particular, the small business sector (92).  The authors' interviews and literature review revealed that “[s]mall businesses tend to view privacy concerns as an added cost with little added value, and it is in this setting that respondents tend to highlight the shortcomings of the OPC's model, and its lack of enforcement powers in particular.  In this sector, the OPC has failed to create significant incentives for compliance” (92).
  • “Respondents from industry groups tended to support the status quo powers of the OPC, and to highlight the effectiveness of the Federal Court as an ultimate ‘stick', but most other respondents would be in favour of greater order-making powers, particularly as a means of inducing and ensuring compliance in the small and medium business sectors.  While most respondents favoured providing the OPC with order-making powers, most also agreed that these powers should be used sparingly.  Rather, they believed that possessing a credible and effective threat of order-making would enhance the effectiveness of the OPC's other proactive and educative activities” (92).
  • Interviewees also noted that there would be other indirect benefits if order-making powers were introduced, including greater rigour and detail in findings released by the regulator.  It was also felt that the profile and importance of industry compliance officers would increase, resulting in greater resources being allocated by private sector to PIPEDA compliance.

Comparative analysis of the Office's effectiveness from an institutional perspective

  • “Quebec, Ontario, British Columbia, Alberta and the federal Privacy Commissioners have the same powers of investigation and mediation, as well as the shared ability to initiate complaints and to conduct audits.  The primary difference between the powers of these provincial commissioners and the federal Privacy Commissioner is that they have the added power to issue final decisions in order to settle disputes concerning complaints, subject to judicial review” (71).
  • Provinces have stronger powers of enforcement via their “ombudsman with a stick” model, which  “appears to be most effective when it serves as a deterrent, rather than a means of compelling compliance with privacy legislation, as Commissioners tend to prefer to resolve complaints through conciliation, mediation and informal measures” (71).
  • “The experience in these provinces demonstrates, for example, that businesses can adapt to a regulatory environment that includes order making without any significant problems.  The experience of Quebec, Alberta and B.C. is instructive in another respect as well.  All of these provinces have had a chance to observe the OPC's Ombuds-model and, in recent statutory reviews, none of the three suggested that the federal model be adopted” (71).
  • The Report identifies Quebec's experience with Bill 86 as particularly noteworthy.  Bill 86 changed the structure of the CAI by separating the oversight division from the adjudicative division in response to criticism that CAI had been jeopardizing its independence and impartiality by allowing same group of CAI members to both investigate and adjudicate CAI's oversight powers.  According to the authors, Bill-86 “highlights that independence and impartiality, as core administrative law norms, provide the backdrop against which institutional design and the search for the optimal model take place” (67).
  • Following its review of Alberta and British Columbia's experiences, the Report concludes that an ombudsmodel may coexist with and complement a range of enforcement and compliance measures.  The authors examined recent legislative review processes and concluded that “[t]he fact that the Ombuds model for privacy commission jurisdiction over the private sector has been favourably reviewed in provincial jurisdictions does not mean this model is the most effective, but it does speak to its broad appeal, and the perception that its track record has been generally positive” (70).
  • The institutional structures of “peer regulators” like the CRTCFootnote 1, the Competition BureauFootnote 2 and the Federal Trade CommissionFootnote 3 were also examined in the report.  Each of these regimes is significantly different from the Office's current institutional structure and offers no obvious model for reform.

Monetary Penalties

  • The authors note that the ability to impose monetary penalties or fines is a power not normally associated with an ombudsman or an Agent of Parliament or administrative boards and tribunals more generally.
  • The authors' review of federal boards and tribunals did not identify any decentralized administrative boards or tribunals with the power to directly impose monetary penalties or fines upon the determination of statutory violations.
  • The Report identifies monetary penalties that may be administered by the minister responsible for the Employment Equity Act as the only exception.  In this case, the minister may issue a notice of monetary penalty upon determining there was a violation of the Act, which the employer may contest before the Human Rights Tribunal.  Given the role of the Minister in this scheme, the authors conclude that this is “a long way from a sanction directly administered by a decentralized organization” (42).
  • The Report notes that Quebec's human rights tribunal has the power under s. 49 of Quebec Charter to grant punitive damages in a case of unlawful and intentional interference with a quasi-constitutional right protected by the Charter.  The authors suggest that an analogy could be made to justify the assignment of such powers to the Office since it is likely that privacy protection has acquired the same legal status as a quasi-constitutional right (51)Footnote 4.
  • The Telecommunications Act authorizes the CRTC to impose administrative sanctions that are enforceable and appealable/reviewable by the Federal Court.  Reasonable grounds are required before a notice of infraction can be issued.
  • In the United Kingdom, a new act not yet in force “gives the ICO the power to impose fines on both the public and private sectors where section 55 of the DPA is violated.  Section 55 makes it a criminal offense to knowingly or recklessly obtain or disclose personal data without consent.  Penalties can be appealed to the Information Tribunal; however, the Commissioner's new power has yet to be brought into force and the Secretary of State has not yet set the maximum penalty”.
  • Following their survey of monetary penalty and fine schemes, the authors conclude that normally, punitive regimes found in enabling legislation are administered by judges upon finding infractions under that legislation, the procedural protections of criminal law are applicable and it is judges in courts of law who have to make findings of guilt and impose the penalties.  The “[a]llocation of criminal powers to decentralized organizations is in fact a relatively recent idea in federal administrative law, and it seems to have yet to pervade federal law on a wide scale” (42).

The case for introducing order-making powers and monetary penalties under PIPEDA

  • The Report concludes that the Office's effectiveness would be enhanced if it possessed limited order-making authority, including the ability to levy monetary penalties.
  •  This conclusion is based primarily on the following premises:
    • The Office's effectiveness with respect to the small and medium sized business sector has been limited;
    • Public education and outreach efforts, while important, are not sufficient to improve compliance in the small and medium sized business sector;
    • “[o]nly the threat of penalties which affect the bottom-line can lead to a change in business behaviour” in the small and medium sized business sector;
    • Small and medium sized businesses would proactively respond to the threat of federal order-making powers and monetary penalties by improving their compliance with PIPEDA.
  • Particularly noteworthy is the Report's conclusion that the effectiveness of order-making powers, including the ability to levy monetary penalties, comes from the threat of these sanctions much more than their actual use.
  • Noting that order-making powers may not be “as necessary” in the large business sector, the Report notes that introducing these powers might have salutary effects including “enhancing the significance of privacy policies…and the profile of compliance officers”.
  • The authors suggest that the introduction of order-making powers, including the ability to levy monetary penalties, would (i) increase economy by reducing the need for the existing separation of the Office's operations into discrete PIPEDA and Privacy Act spheres; (ii) increase efficiency by leading to more significant results for the same investment of effort and resources; (iii) increase effectiveness by increasing levels of compliance, particularly in the small and medium sized business sector; and (iv) increase equity by ensuring consumers' personal information was equally protected whatever the size and sophistication of the business being dealt with.

Problems associated with order-making powers and monetary penalties

  • The Report identifies some operational risks associated with the introduction of order-making powers and monetary penalties including negative reactions from the business sector, increased adversarial tensions, increased litigiousness and added costs and complexities for both the Office and the private sector (99).  However, the authors note that provincial experience suggests these risks are overstated and may be offset by an increasing interest in stronger consumer protection climate that can justify increased regulation of business.
  • The Report's fourth recommendation –introducing explicit guideline-making power – is intended to offset some of the risks associated with the introduction of order-making power.  According to the Report, the Office can mitigate the risks associated with new order-making powers by issuing “guidelines to enhance coherence and predictability in the exercise of the additional powers following a consultative process” that would build on trust between the Office and the private sector that has already been established.  The authors believe that clear guidelines for the use of new order-making powers and safeguards to ensure fairness to those subject to it are “essential accountability tools” that “ought to accompany the additional regulatory authority” (100).
  • Legal risks associated with the introduction of order-making powers include the outstanding constitutional problems raised by the passage of PIPEDA: “Any consideration of granting the Office order-making powers that could be applicable to all Canadian businesses would general stormy federal-provincial debates” (51).
  • The introduction of order-making powers, including the ability to impose monetary penalties would create even more disparity between the Commissioner's powers under the Privacy Act and those under PIPEDA.
  • The introduction of order-making powers, including the ability to impose monetary penalties, may require a significant overhaul of the Office's current institutional structure.  The Report notes that “it would seem that replacing the Office with an agency in the decentralized organizations category, and more specifically, a social regulatory agency…endowed with administrative powers (e.g. power of investigation), decision-making powers (e.g. power to make orders and impose penalties) and regulatory powers, is an option that could be given serious attention” (51)

Additional Recommendations

  • In addition to the recommendations regarding the introduction of order-making powers and a complementary guideline-making authority, the Report makes four additional recommendations.
  • The Report recommends additional research in relation to the impact that new technologies and phenomena, including Web 2.0, will have on the Office's ability to protect the personal information of Canadians.  Specifically, the authors suggest additional research regarding the ability of the Office's institutional structure to address challenges posed by emerging technologies, the complexities inherent in ensuring harmonized regulations in this context and related challenges posed by overlapping regulatory regimes and the constitutional division of powers (97).
  • The authors recommend that the Office continue to extend the limits of the current ombuds model by continuing to utilize media attention, existing trust relationships, and public education and outreach efforts to enhance compliance with PIPEDA.  The Office's efforts to establish a regional office in Toronto are noted favourably in this regard.
  • The authors also recommend that the Office explore other creative regulatory powers to extend the scope of the Office's activities under the current ombuds model, suggesting the development of a privacy seal or certification program as an example.
  • Finally, the Report suggests that the Office improve accountability mechanisms to ensure longer-term strategic planning and meaningful benchmarks.  The authors take note of the various performance and departmental reviews the OPC currently undertakes but indicate that “it is often difficult to discern the criteria by which the various reviews assess the OPC.  More troubling, it is not clear by what standards the OPC evaluates its own performance”.  The Federal Trade Commission is identified as a helpful model in this regard.

To read the report: Powers and Functions of the Ombudsman in the Personal Information Protection and Electronic Documents Act – An Effectiveness Study

Date modified: