Leveraging Past Success for a Vibrant Future
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at a presentation to the Canadian Chamber of Commerce Ottawa Liaison Committee
February 24, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I have had seven fascinating years as Privacy Commissioner. The first few years were admittedly difficult because of organizational issues. After that, however, our Office really hit its stride.
We have conducted major investigations, important audits, and extensive public outreach. We have opened an office in Toronto office, in order to foster vital linkages with the business community.
In December, I was honoured to be reappointed for another three-year term. I am determined to make the most of it – to leverage past successes in order to lead this Office into a vibrant future.
I am well aware that there is no room for complacency. The privacy landscape continues to evolve and new challenges are continually emerging. That is why I have settled on three priority focuses for the remainder of my time in office:
- To demonstrate leadership on the four trends that we feel will have the most significant impact on the privacy of Canadians;
- To help organizations and ordinary Canadians make informed privacy decisions, and
- To enhance our delivery of service to Canadians.
1: Leadership in 4 policy priorities
On the first priority, this is something my Office has been working on for several years already. We identified four policy areas where we ought to be concentrating our efforts. These are:
- Public safety and privacy
- Information technology and privacy
- Genetic technologies and privacy,
- The protection of personal identity and privacy.
These priorities guide our activities in many respects: How we support research, for example, where we focus our audits and investigations, the Privacy Impact Assessments we choose to review and so on.
In terms of information technology, for example, we are putting a great deal of emphasis on the digital environment, where more and more Canadians are living out their daily lives. I recently read that one in four American couples who met since 2007 first met online.
As you know, we have had continuing discussions with online giants such as Facebook and Google. At the moment, we are investigating further complaints about Facebook as well as a site targeting children, and an online dating site.
Just last week, we published an information document about the use of biometrics in the private and public sectors.
The privacy implications of public safety and law enforcement initiatives are another ongoing priority for us. We recognize that privacy protections must sometimes give way to a greater good, but only if the promised outcome is achievable and no less privacy-invasive option has been overlooked.
A tangible outcome of our work in this field was a comprehensive reference document on the privacy issues raised by public safety initiatives.
2: Supporting informed privacy decisions
A second priority for me is to help organizations and ordinary Canadians make informed privacy decisions. Canadians are sophisticated in their online literacy, but their understanding of privacy in the digital world could be improved.
How many people actually read privacy policies? Do they know how to secure their home computers and networks?
Businesses, for their part, also have a role to play. They must, for example, ensure that their employees are privacy literate - that they know how to take good care of the personal information they handle.
Proper and ongoing training can save organizations a lot of grief – and money. An employee who has learned about privacy is less likely to leave a laptop with personal information lying in a car, or to be cavalier about punching in the right fax number when sending sensitive records.
And yet, polling by my Office reveals that fewer than two of five businesses trained their workers in this manner. We need to do better.
My Office is trying to do its part. We are using online tools to help Canadians better understand their privacy rights – and to make well-informed choices in a rapidly changing privacy landscape.
Much of our public awareness work involves others, including business groups, consumers and government organizations.
3: Service Delivery
The third vital focus for me will be to enhance our delivery of service to Canadians.
This demands that we also remain responsive to the needs of businesses and government.
Bolstering our service to Canadians demands a vibrant organizational capacity. We embarked on this course last year with the consolidation of responsibilities for both acts under the able leadership of a single assistant commissioner, Chantal Bernier, and will leverage this streamlined and strengthened structure in the year ahead.
Last year's opening of our Toronto office and the transfer of most of our PIPEDA-related work were tangible signals of our desire to reach out to stakeholders. By setting up shop in Canada's business centre, we are able to forge more meaningful ties with regulated industries.
Through outreach, consultation and guidance, we believe we can promote better privacy habits among Canadian enterprises. It is always better to encourage organizations to avoid problems in the first place, than ferret out and address wrongdoing after the fact.
First PIPEDA Review
Even so, the world is imperfect, and new challenges are always arising. Therefore, it would be naïve to suggest we could ever dispense with a key function: The enforcement of compliance with privacy laws.
The architects of PIPEDA had the foresight to make the legislation technology neutral, and this has served us well over the past decade that the law has been in force.
But the privacy landscape is evolving quickly, and our regulatory framework needs to adapt in order to remain robust and effective.
One way that PIPEDA remains contemporary and responsive is that it has to be reviewed by Parliament every five years.
The inaugural review a few years back resulted in several actual and pending legislative amendments.
Some of those were grouped together as Bill C-29, which remains before Parliament today. It would, among other things, require organizations to notify my Office and affected individuals following serious data breaches. That would be a welcome change.
Other important amendments to PIPEDA were passed in Parliament last December, as part of legislation to curb the amount of deceptive electronic communications, or spam, circulating in Canada.
Under the new law, my Office has more discretion to refuse or discontinue complaint investigations. This will enable us to concentrate our investigative resources where they will have the most impact, thereby enhancing service to Canadians.
The new legislation also allows us to share information with our domestic and international counterparts – whether the matter involves spam or other privacy issues. In this era of global data flows, this new power to collaborate with other enforcement authorities is essential.
The main thrust of the legislation, however, related to electronic spam and the many scams that often come with it. More than a mere nuisance, spam can lead to identity theft and other frauds. It can harm a business and damage public faith in the online economy.
My Office will share enforcement responsibilities under this new law with the CRTC and the Competition Bureau. We look forward to taking on our share of that effort.
Second PIPEDA review
Parliament will gear up again this year to begin reviewing PIPEDA for a second time. My Office has already laid substantial groundwork to contribute to this effort.
You may recall, for instance, that we held a first-ever series of public consultations, aimed at gleaning the kind of insight on the emerging technology issues that could have a dominant influence on privacy in the years ahead.
Those consultations took place last spring and included public meetings in Montreal, Toronto and Calgary. We canvassed views from business, government, academics, consumer associations and civil society.
The consultations explored privacy issues related to cloud computing, as well as to the online tracking, profiling and targeting of consumers by marketers and other businesses.
We have published an interim report on what we heard, and a final report is forthcoming soon.
Sossin & Houle
Another aspect of ensuring that PIPEDA remains the right tool for the job we expect of it is to examine whether it supports the current structure and operations of my Office
Toward that end, we asked two noted academics - Osgoode Hall Law School Dean Lorne Sossin and France Houle, of the Universite de Montreal - to look at how we measure the effectiveness of laws such as PIPEDA. They also examined enforcement models in other countries and within other federal institutions.
At the conclusion of their review, the professors suggest that my Office would benefit from certain targeted order-making powers, including the ability to impose penalties such as fines.
In their report, which we just posted on our website, they also call for explicit guideline-making power, to assist with the fair and transparent implementation of new order-making powers.
I tend to agree: it is time to consider stronger incentives for organizations to protect personal information.
Order-making and fining powers
We are one of the few major countries in the world where the data-protection regulator lacks the capacity to issue orders and impose fines.
The Federal Court can impose damages against organizations that violate PIPEDA. However, it has done so only once in the decade PIPEDA has been in force. Some months ago, the Court awarded damages of $5,000 after finding that a credit reporting agency had profited from the disclosure of inaccurate information and acted in bad faith in failing to take responsibility for its error and to correct the problem in a timely way.
By contrast, consider the UK, where the Information Commissioner has used his powers to send some strong messages about data breaches.
Since November alone, three county councils and an employment agency have been punished for such infractions as losing unencrypted laptops and faxing sensitive documents to the wrong recipients.
And the penalties are severe: One of the councils was fined the equivalent of $157,000 in Canadian funds.
The Spanish Data Protection Agency, meanwhile, has initiated infringement proceedings against Google, related to the collection of data from Wi-Fi networks – an action that could lead to hundreds of thousands of Euros in fines.
Here in Canada, the CRTC can levy fines for violations of the do-not-call rules - and recently slapped Bell Canada with a record-setting $1.3-million penalty. And the new anti-spam law I mentioned earlier would enable the CRTC to levy fines against businesses of up to $10 million
Most companies will concentrate on compliance when hefty fines are in play.
I want to elaborate a little more on the concept of accountability.
Contemporary thinking around the globe today is that organizations ought to demonstrate that they are accountable for the protection of the personal information under their control.
Unfortunately, that's not necessarily the case in Canada yet.
The truth of the matter is that too many organizations are still collecting too much information about too many people for us to continue to rely solely on a complaint-based system.
PIPEDA covers tens of thousands of organizations, so my Office cannot possibly keep tabs on all of them.
Indeed, there is no simple mechanism for us to proactively go in and check for compliance. Our ability to initiate a complaint investigation or audit is constrained by the need to demonstrate we have reasonable grounds to do so.
Some options to consider include more private-sector audits by our Office, independent third-party audits by industry regulatory bodies, and/or stronger incentives for compliance.
In light of the increasingly global nature of data flows, we also have to work with others, within and beyond our borders. No jurisdiction alone can tackle the plethora of privacy concerns cropping up across the World Wide Web.
I am pleased to say that much is happening on the global stage. We are working with a number of initiatives to develop an international privacy standard and we are a founding member of the new Global Privacy Enforcement Network.
We have also been involved in the privacy work of APEC and the OECD, which in 2010 marked the 30th anniversary of its ground-breaking Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
On a more informal level, 10 data protection offices (including mine) united last year to remind Google and other online companies about the need to respect privacy laws around the world when launching new products and services.
PIPEDA has served us well over the past decade, and the recent amendments will help strengthen it further.
In the next few years, you can expect to see even more developments, including measures to properly address data breaches.
But I don't want to make it sound like it's all about enforcement.
On the contrary: Protecting the personal information of Canadians will take a proactive approach, throughout an organization, at all stages of its business.
Moreover, it's up to everybody – including (and especially) enterprises such as yours.
The privacy challenges are growing and intensifying. And so we need you on board. We need you to acknowledge that privacy is important to your customers and clients. It's integral to their trust and confidence.
In the next three years, my goal is to continue to work with you to find a way to honour that trust.
- Date modified: