New laws, stiff penalties needed: privacy watchdog
JORDAN PRESS asks departing privacy commissioner about her work protecting personal information.
Adecade ago, Jennifer Stoddart became Canada’s sixth privacy commissioner when Internet giants and social media websites were on the rise.
She leaves her post Dec. 2, after 10 years of taking on the world’s biggest online companies, such as Google and Facebook, for what she saw as violations of Canada’s privacy laws. She has been an outspoken critic of how the federal government handles and protects personal, sensitive information on millions of Canadians, and the need for modernization of Canada’s privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act.
In an interview in her office during her last week on the job, Stoddart talked about the privacy landscape in Canada today. Below is an edited transcript of the interview.
When you took the job 10 years ago, what did you expect, and how closely have the last 10 years met those expectations?
You couldn’t have foreseen where the world is now in 2003. I didn’t see the implications of the growth of the Internet because we were still looking at things like (direct) mailing to consumer marketing. Who could have foreseen something like Google Street View? To me there was clearly a transgression of Canada’s private sector law, so I got involved in Google Street View, Facebook and others. It’s been a very fulfilling 10 years, but also one where Canada showed that we can make important things happen.
I don’t think it’s my role or the role of a future commissioner to protect people against themselves or define their privacy choices for them. My job is to help them understand what happens when they choose to share personal information, and going after those that don’t comply with Canada’s laws.
Should the privacy commissioner be looking at products before they go to market, to ensure privacy is worked in proactively, rather than reactively?
I don’t think we would go in and check at a beta stage. We wouldn’t have the capacity.
I’ve been calling for a stronger Privacy Act for both sectors — public and private — because it would create an incentive to get it right, to develop new applications in a way that is privacy-protective. Because there are no fines (for Privacy Act violations), I don’t think there’s enough incentive. That has to change.
How steep should a fine be?
Quite steep. Some of the companies we’re talking about that do not listen to regulators are hugely powerful and very wealthy. Europe decided it needs to make some of them sit up and pay attention. The United States’ Federal Trade Commission, which is a consumer protection agency but has also got into privacy more recently, fined Google $22.5 million US (for privacy violations). We know from dealing with Google at the same time that they took the Federal Trade Commission far more seriously than us because we have no fines to levy.
It certainly isn’t because I haven’t advocated for it. I’ve had a lot of support for the public sector changes (such as creating a test for departments to pass before collecting personal information, and institute a mandatory five-year review of the Privacy Act). The business community is happy with the law as it is. When PIPEDA (which oversees privacy rules in the private sector and the healthcare sector in some provinces) came in, we were concerned about the federally regulated industries (such as) banks. We’re dealing with a new creature that didn’t even exist. In that context, we need a tougher law.
The public sector has been under pressure for recordhigh data and privacy breaches, staff at the CRA going into personal files — does this surprise you?
I had really hoped that things had improved, but people kept coming to us with complaints. We should be further along. It’s not that we don’t talk about privacy in the government, but I am surprised there are so many slipups.
Most civil servants have this strong sense of ethics, but I think it hasn’t been taken seriously enough and we’ve seen few deterrents. It’s not clear what happens to employees. That’s all private. We have to be a lot stricter in the codes of conduct. Minister (Tony) Clement wrote me saying that starting in January, there will be mandatory notifications of privacy breaches to Treasury Board and my office in the most egregious cases. I’ve been calling for some kind of mandatory breach notification.