Making Privacy Protection More Effective for Canadians
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Centre for Law, Technology and Society of the University of Ottawa
January 19, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I want to begin by congratulating the Centre for Law, Technology and Society. You’ve blazed an impressive trail in your short history.
The centre has set the benchmark – in Canada and internationally – for excellence in the study of law and technology. This is a place of first-class scholarship and ground-breaking research.
That’s an accomplishment in itself, but what I deeply appreciate is how you’ve taken that knowledge out into the world. You’ve become policy leaders who make a difference – be it through Parliamentary appearances or speaking to conferences around the globe.
Michael Geist has popularized privacy issues (and even made people pay attention to copyright!) in his newspaper column. Ian Kerr’s stellar work was recently recognized when he was elevated to a Tier 1 Canada Research Chair.
Your opinions are sought after and they have a meaningful impact.
Over the years, my Office has developed a close relationship with the University of Ottawa’s law and technology program. As some of you may know, we’ve benefitted from the inspired teaching offered here – one of our lawyers, Louisa Garib, graduated from the program. This is where the next generation of privacy lawyers, practitioners and advocates is being educated.
As Privacy Commissioner, I extend my deep gratitude to all of you for these very significant contributions.
A New Term
As you know, Parliament recently approved my re-appointment for a three-year term. I thought I’d take the opportunity this afternoon to discuss a couple of my priorities for the next few years.
I welcomed the invitation to stay on. Many of you will remember that the first few years of my initial mandate were so focused on getting the Office’s administrative house back in order that there wasn’t as much time as I would have liked to spend on our raison d’être – privacy protection.
As a result, there are still some important things that I would like to do and I appreciate Parliament’s confidence in me to continue on in this role.
When I appeared before the Senate and a House of Commons committee, I outlined a few priorities:
- First, leadership on priority privacy issues – for example, the online world and public safety;
- Second, supporting Canadians, organizations and institutions to make informed privacy decisions;
- And, finally, service delivery to Canadians. At the end of the day, our work must meet the needs and the expectations of Canadians.
Over the next few years, you can expect to see us continue our work on privacy issues in the online realm and on national security and law enforcement issues.
We’re close to completing investigations of a social networking site targeting youth as well as an online dating site and there’s no shortage of issues to continue to keep us busy in this area.
Given the expanding role of the Internet in our day-to-day lives, these are very much mainstream issues. This fact was brought home to me by a recent statistic in the Harper’s magazine Index: The chance that an American couple who met since 2007 first met online is now one in four.
Public safety issues will also continue to play a dominant role. For example, we have urged Parliament to take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights.
Informed Privacy Decisions
Another piece of the privacy protection challenge is making sure that Canadians develop strong digital literacy skills – by which I mean the knowledge and skills necessary to protect their personal information, and the personal information entrusted to them by others.
For some time now, we’ve been using online tools such as blogs, Twitter and YouTube to help Canadians to better understand their privacy rights and to make well-informed choices. We’ve recently created a Youth Advisory Panel to test out ideas.
You’ll also see us continue to emphasize regional outreach because the face-to-face is still important in this increasingly online world. Our office in Toronto, where many of the private-sector organizations we receive complaints about are headquartered, is now up and running and meeting regularly with our stakeholders there. This is part of an ongoing effort to ensure that my Office is not perceived as either too Ottawa-centric or unaware of issues outside the National Capital Region.
While all of the work we do is important, at the end of the day, the priority that is most important to me on a personal level is service to individual Canadians. I want to ensure that Canadians calling my Office for help with a problem will receive the level of service they expect from us.
Around the time of my reappointment, I was showered with accolades about what the Office has accomplished since I became Commissioner at the end of 2003.
For someone who considers herself a team player, it sometimes made me a bit uncomfortable.
Don’t get me wrong. I am extremely proud of what my Office has accomplished. We have – among many other achievements – been extremely successful in a number of headline-grabbing investigations, including one that stemmed from a complaint from CIPPIC.
But as I listened to all the glowing tributes, I couldn’t help but think about where I would like to see us do better.
First on my list for this new mandate is service to Canadians – and ensuring that we are equally successful on the routine types of complaints that don’t get any public attention – but that are of deep importance to the people who bring them to us.
Not long ago, I was dismayed to read an article in the Canadian Privacy Law Review entitled, “Complaining under PIPEDA: An Exercise in Futility.” The piece detailed one complainant’s frustration over the fact that we took 16 months to complete an investigation and ultimately reached findings he felt missed the point of his initial complaint.
Unfortunately, despite our very best intentions, there are some cases where we haven’t delivered results as efficiently and effectively as we should have.
In recent years, a rapid turnover of investigators, combined with an increasing number of complaints dealing with highly complex issues, had led to a backlog of cases and unacceptably long investigation times. As a result of an all-hands-on-deck, multi-pronged approach, as well as extra resources from Treasury Board, we were able to bring the backlog down to a handful of cases in 2010.
With that challenge behind us, however, there’s still plenty to do. We are now focused on further refining our complaints process in order to better serve Canadians.
One of our internal challenges lies in ensuring that we efficiently handle issues when they are initially brought to our attention.
To begin with, we emphasize to would-be complainants the importance of trying to resolve their problem directly with the organization concerned, before filing an official complaint with us. A lot of the time, resolutions can be found quickly in this way.
We’ve also instituted an early resolution process that has been very successful. In fact, we’ve seen a significant drop in complaints accepted for investigation since formalizing that process.
Obviously, early resolution isn’t the right route for all types of complaints, but it helps us find satisfactory conclusions for people with straightforward types of privacy concerns, and frees up resources for more complex and systemic issues – the Facebook and the Google WiFi types of cases.
Those are some of the ways in which we can work internally to build an even more effective privacy-protection regime in Canada.
On another front, there’s also work to be done to strengthen our private-sector law, PIPEDA, to ensure it’s working well for Canadians.
I believe it’s also time to consider how to create stronger incentives for organizations to ensure they are protecting personal information.
PIPEDA looked fairly innovative when it came into force back in 2001. It adopted the Quebec approach on the concept of accountability – setting out how organizations are responsible for the personal information under their control and that they remain accountable even when the data is transferred to a third party. This contrasted with the European approach of database registration and dataflow controls.
More recently, however, we see privacy leaders around the globe taking the concept of accountability an important step further. Current thinking emphasizes the importance of requiring organizations to demonstrate that they are accountable.
As some experts have noted, PIPEDA doesn’t ask organizations to show accountability. The problem for us is that there are tens of thousands of organizations subject to PIPEDA. We are limited in our ability to ensure they are complying with the law.
At the moment, there is no simple mechanism for us to go in and check on compliance– unless we happen to get a complaint. Our ability to launch a Commissioner-initiated complaint or audit is constrained by the need to demonstrate we have reasonable grounds to do so. And, even if we do conduct an investigation, we may only be examining one aspect of compliance.
In short: Too many organizations are collecting too much information about too many people for us to continue to rely solely on a complaint-based system in order to assure Canadians that the organizations they deal with are accountable and compliant with PIPEDA.
So, how do we ensure organizations are accountable? Do we simply trust them? Do we do more private-sector audits from our Office, or should we encourage independent third-party audits by industry regulatory bodies? Do we create stronger incentives for compliance?
These are the kinds of questions we have been thinking about as we prepare for the second mandated Parliamentary review of PIPEDA, which is expected to begin this year.
Fortunately, we’ll have the benefit of a flourishing discourse on accountability that is taking place throughout the world, including at APEC and across Europe.
One of the leaders in this area is the U.S.-based Centre for Information Policy Leadership. Its Accountability Project is considering what it means for an organization to be accountable for the personal information it collects, and how it can demonstrate its accountability to data protection authorities and individuals.
Accountability Project papers and discussions have helped us think more clearly about what the concept involves. The discussions have also been useful because they have brought together global businesses and data protection authorities from around the world – two groups that haven’t talked enough in the past.
It has also provided the opportunity for some big-picture, forward-looking thinking.
The importance of the project has been enhanced by last summer’s release of a thoughtful Opinion on Accountability by Europe’s data-protection authorities.
The Opinion, by the Article 29 Working Party, proposes that a statutory accountability principle be added to the European Directive. The principle would explicitly require organizations to implement measures to put into effect the principles and obligations of the Directive, and to demonstrate this upon request.
The Article 29 Working Party sees accountability as a way to translate legal requirements into real data-protection measures.
What’s promising about these developments is that we are seeing some convergence around the concept of accountability as a way to move forward and possibly identify common ground internationally.
Incentives for Compliance
I would also like to take a few moments to talk about incentives for compliance. I am increasingly of the view that we may need stronger powers in order to be an effective privacy guardian for Canadians.
We’ve become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines.
The Federal Court does have the power to impose damages against organizations that violate PIPEDA. However, it has set a very high threshold for doing so. Last June, in Randall v Nubodys Fitness Centres, Mr. Justice Mosley found that an award of damages should only be made “in the most egregious situations.”
The Court has awarded damages only once in the decade that PIPEDA has been in force.
Late last year, it awarded damages of five thousand dollars after finding that a credit reporting agency, TransUnion, had profited from the disclosure of inaccurate information and acted in bad faith in failing both to take responsibility for its error, and to rectify the problem in a timely way.
By way of contrast, we’ve seen a number of other countries moving to impose substantial fines.
In the United Kingdom, for example, Information Commissioner Christopher Graham recently used his powers to impose monetary penalties to send a strong message about serious breaches of the UK’s Data Protection Act.
A county council was ordered to pay 100,000 pounds ($157,000 Cdn) for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. One case involved information about child sex abuse, the other, domestic violence.
An employment services company was fined 60,000 pounds ($94,000 Cdn) for losing an unencrypted laptop that contained personal information relating to 24,000 people who had used community legal advice centres.
Meanwhile, my Spanish counterpart, Commissioner Artemi Rallo, has already earned the nickname “the Enforcer” for his assertive use of his existing enforcement powers. Then, in the fall, the Spanish Data Protection Agency initiated infringement proceedings against Google, related to the collection of data from WiFi networks – an action that could potentially lead to hundreds of thousands of Euros in fines.
Here in Canada, the CRTC has the power to impose fines for violations of the do-not-call rules (and recently slapped Bell Canada with a record-setting $1.3-million penalty). There are significant fines – $10 million for businesses – provided for in the new anti-spam law.
Hefty fines get just about any company to sit up and take notice – and to place a greater importance on compliance.
Another possible compliance incentive that has been advanced by privacy advocates over the years is the naming of organizations we investigate.
To be candid, I have a growing discomfort with the secretive nature of how we work under PIPEDA.
Initially, it seemed like a reasonable approach to name names only when doing so was determined to be in the public interest. What we’re finding, however, is that meeting the public interest test is a very high jurisprudential threshold.
It seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings. This is another issue that we’ll be examining more closely as we consider our submissions for the next review of PIPEDA.
As you can see, there’s plenty to think about in terms of how to ensure that Canada maintains its tradition of leadership in privacy protection.
The next few years promise to be extremely interesting. I’m looking forward to the challenges – and, once again, I thank you for your ongoing support and for organizing this wonderful event.
- Date modified: