On the eve of a statutory five-year review of the legislation governing federally-regulated private-sector organizations, the Privacy Commissioner of Canada is openly calling into question the effectiveness of the ombudsman model to regulate private-sector practices for the protection of personal information in light of the recent spate of high-profile data breaches that have compromised the personal information of Canadians.
In the midst of reviewing Canada’s privacy accountability model before submitting a report to the federal government, Jennifer Stoddart will likely ask the government to consider introducing “meaningful sanctions as data breaches are getting totally out-of-hand” and a mandatory requirement for private-sector organizations to report significant data breaches to the Privacy Commissioner and affected individuals, something that the Canadian Parliament was considering before it was dissolved last spring for the elections.
“Within the next four, five months I am going to take a position of what kind of powers the Privacy Commissioner should have in the 21st century,” said Stoddart, who is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Office of the Privacy Commissioner of Canada (OPC) has the mandate of overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), will undergo a five-year review this fall.
“If that were to be the way we go, this would be a departure from certainly part of the ombudsman model. I guess it is this model fundamentally that I am asking to be examined – is it the most appropriate one particularly for the largely on-line environment of personal information used now,” added Stoddart, Canada’s Privacy Commissioner since 2003.
Stoddart’s reflections over the efficacy of the ombudsman model appears to coincide with the release of a report commissioned by the Privacy Commissioner that recommends granting the OPC additional powers such as the ability to levy fines and limited order-making powers aimed at small and medium sized businesses. The current ombudsman model, while “particularly well suited” to the first phase of regulating industry, does not appear to be as well suited to the small and business sector, where compliance rates are lower and the risk to personal information is greater, says the report, penned by Université de Montréal professor France Houle and Osgoode Hall Law School Dean Lorne Sossin.
“The ombudsman model is based on finding solutions through consensus, and to fine a business that does not comply with the statute is contrary to the very foundation of the ombudsman model,” noted Houle, an administrative law scholar who, along with Sossin, is part of a team assisting the Privacy Commissioner with the review she is now conducting. “We believe that if Parliament agrees with the Commissioner that order-making power should be conferred to the OPC then the OPC should be transformed into another type of board like a regulatory board such as the Canadian Radio-television and Telecommunications Commission.”
Stoddart, though, is far from convinced that “another type of public agency” needs to be established, pointing out that she is far from certain that “we are at a time” where yet more public agencies need to be created. “There are probably enough public agencies,” said Stoddart.
At present, the federal Privacy Commissioner has weaker powers than her counterparts in Alberta, British Columbia and Quebec who oversee substantially-similar private sector legislation. Unlike the other commissioners, Stoddart does not have the power to make orders, requiring organizations to comply with PIPEDA. She can only make “recommendations.”
The statutory five-year review of PIPEDA may prove to be an ideal opportunity to adopt a hybrid ombudsman model approach, says Kris Klein, a privacy lawyer with nNovation LLP in Ottawa. Klein points out that in Alberta and BC, the privacy commissioner will take a preliminary look at a case, try to deal with it informally, either through early resolution or mediation, and failing that then the matter heads towards an inquiry, a formal adjudicative proceeding in which the Commissioner receives submissions from all parties involved in the matter and decides all issues of fact and law. An inquiry concludes with the issuance of an order, which may be reviewed only by way of an application for judicial review before the Court of Queen’s Bench of Alberta.
“A lot of industry has been waiting and not adapting changes to their personal information handling practices because of the lack of significant consequence in the law,” said Klein. “So for those companies that have taken the time to make changes, I think they are going to sort of applaud the idea of legislation with more teeth because their competitors will have to take it more seriously too.”
Before making any changes to the ombuds model, noted privacy expert David Fraser suggests the need for a thorough debate to make sure “whether or not it is a correct choice to make.” Adequate procedural safeguards would have to be established if the federal Privacy Commissioner is granted order making powers or the ability to levy fines, says Fraser, a partner with McInnes Cooper.
“If all of a sudden, she has order-making powers that brings into one person or one office the roles of advocate, prosecutor and judge that is problematic generally speaking from an administrative point of view because you are mixing up what otherwise are very discreet roles in order to avoid actual bias or apprehension of bias,” said Fraser, who added that the current system, while not perfect, “is pretty good, better than systems in a number of other jurisdictions.”