Stoddart is disappointed that a statutory five-year review of the legislation governing federally-regulated private-sector organizations, scheduled to have taken place in 2011, has yet to be launched. The Privacy Commissioner of Canada is just as disappointed by amendments introduced to the Personal Information Protection and Electronic Documents Act (PIPEDA), tabled as Bill C-12 last fall.
“I am very, very disappointed that we’re not moving ahead with privacy reform issues. They’re long overdue,” Stoddart said recently.
In fact, Stoddart is openly calling into question the effectiveness of the ombudsman model to regulate private-sector practices for the protection of personal information in light of the propensity of social media firms to amass a staggering amount of personal information on Canadians and high-profile data breaches that have compromised the personal information of Canadians.
Stoddart is asking the government the power to be able to hand out “meaningful sanctions as data breaches are getting totally out-of-hand,” and a mandatory requirement for private-sector organizations to report significant data breaches to the Privacy Commissioner and affected individuals
“Canadian privacy legislation has lagged behind the reforms in other major countries, and so there isn’t much incentive for corporations to invest in the kind of software or personnel training that makes Canadians’ data safer,” said Stoddart recently before the House of Commons access to information, privacy, and ethics committee. “So I think basically the bill (C-12) could be strengthened. We have to have stronger enforcement powers, because under the present regime there’s almost no sanction for a company that doesn’t report either to my office or to consumers, if there’s a real risk of significant harm.”
The Office of the Privacy Commissioner of Canada (OPC) has the mandate of overseeing compliance with both PIPEDA and the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies.
“If that were to be the way we go, this would be a departure from certainly part of the ombudsman model. I guess it is this model fundamentally that I am asking to be examined – is it the most appropriate one particularly for the largely on-line environment of personal information used now,” told me Stoddart, Canada’s Privacy Commissioner since 2003.
Stoddart’s reflections over the efficacy of the ombuds model appears to coincide with the release of a report commissioned by the Privacy Commissioner that recommends granting the OPC additional powers such as the ability to levy fines and limited order-making powers aimed at small and medium sized businesses. The current ombudsman model, while “particularly well suited” to the first phase of regulating industry, does not appear to be as well suited to the small and business sector, where compliance rates are lower and the risk to personal information is greater, says the report, penned by Université de Montréal professor France Houle and Osgoode Hall Law School Dean Lorne Sossin.
“The ombudsman model is based on finding solutions through consensus, and to fine a business that does not comply with the statute is contrary to the very foundation of the ombudsman model,” noted Houle, an administrative law scholar who, along with Sossin, is part of a team assisting the Privacy Commissioner with the review she is now conducting. “We believe that if Parliament agrees with the Commissioner that order-making power should be conferred to the OPC then the OPC should be transformed into another type of board like a regulatory board such as the Canadian Radio-television and Telecommunications Commission.”
Stoddart, though, is far from convinced that “another type of public agency” needs to be established, pointing out that she is far from certain that “we are at a time” where yet more public agencies need to be created. “There are probably enough public agencies,” said Stoddart.
At present, the federal Privacy Commissioner has weaker powers than her counterparts in Alberta, British Columbia and Quebec who oversee substantially-similar private sector legislation. Unlike the other commissioners, Stoddart does not have the power to make orders, requiring organizations to comply with PIPEDA. She can only make “recommendations.”
The statutory five-year review of PIPEDA may prove to be an ideal opportunity to adopt a hybrid ombudsman model approach, says Kris Klein, a privacy lawyer with nNovation LLP in Ottawa. Klein points out that in Alberta and BC, the privacy commissioner will take a preliminary look at a case, try to deal with it informally, either through early resolution or mediation, and failing that then the matter heads towards an inquiry, a formal adjudicative proceeding in which the Commissioner receives submissions from all parties involved in the matter and decides all issues of fact and law. An inquiry concludes with the issuance of an order, which may be reviewed only by way of an application for judicial review before the Court of Queen’s Bench of Alberta.
“A lot of industry has been waiting and not adapting changes to their personal information handling practices because of the lack of significant consequence in the law,” said Klein. “So for those companies that have taken the time to make changes, I think they are going to sort of applaud the idea of legislation with more teeth because their competitors will have to take it more seriously too.”
Before making any changes to the ombuds model, noted privacy expert David Fraser suggests the need for a thorough debate to make sure “whether or not it is a correct choice to make.” Adequate procedural safeguards would have to be established if the federal Privacy Commissioner is granted order making powers or the ability to levy fines, says Fraser, a partner with McInnes Cooper.
“If all of a sudden, she has order-making powers that brings into one person or one office the roles of advocate, prosecutor and judge that is problematic generally speaking from an administrative point of view because you are mixing up what otherwise are very discreet roles in order to avoid actual bias or apprehension of bias,” said Fraser, who added that the current system, while not perfect, “is pretty good, better than systems in a number of other jurisdictions.”