Privacy Advisor

Stoddart: PIPEDA Needs Reform To Bring Enforcement Powers

June 1, 2013

By Sam Pfeifle
Publications Director

Privacy Commissioner Jennifer Stoddart, wrapping up 10 years in her office this year, used her keynote address at the IAPP Canada Privacy Symposium 2013 in Toronto to lay out her recommendations for reforming the Personal Information Protection and Electronic Documents Act (PIPEDA). In short: Amendments should include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures.

Canadian Privacy Commissioner Jennifer Stoddart addresses IAPP Canada Privacy Symposium.

“It’s with some sadness that I address you all for the last time as commissioner,” Stoddart told the assembled privacy professionals here in Toronto in introducing a position paper her office released this morning, The Case for Reforming the Personal Information Protection and Electronic Documents Act.”

“The world of privacy has changed, and Canada’s laws need to keep up,” Stoddart said. “Personal information has been called the oil of the digital economy, and as companies drill for more data, the risks to privacy are growing exponentially. They have grown into data giants, quasi-monopolies that have the ability to glean deep personal insights.”

While many of these companies offer their services at no cost, she noted, that doesn’t mean they’re not under constant pressure to turn a profit. This has led them to build profiles of users and get a better understanding of those users to serve up targeted ads or market their services. Thus, she said, “If you’re not paying for the product, you are the product.”

“At the root of many of the privacy challenges we face,” she said, “is that technology is growing so quickly that some companies are failing to address privacy issues in the competitive rush (and they are) creating products that can be used in highly privacy-intrusive ways, ways that consumers don’t anticipate, much less knowingly consent to.”

Further, “security lapses are leaving personal information vulnerable to loss or theft,” she said. “Major corporations display carelessness in data protection again, and again, and again.” As many as one in four websites the Office of the Privacy Commissioner (OPC) has tested recently were either unaware they were disclosing information to third parties or were not clearly disclosing that they were providing information to third-party service providers.

These are major privacy concerns, she said, but “our law does not contain the right incentives to make sure privacy is a consideration when companies produce risk assessments. It’s clear that without amendments, PIPEDA will be even less up to the task in the future. The balance that PIPEDA is supposed to bring is increasingly not there.”

Stoddart’s only real power, she noted, is to name companies, to bring them public shame. “But how can Canadians vote with their feet,” she wondered aloud, “when more and more information is being held by fewer and fewer companies?”

In fact, she said, “we have not seen a huge decline in stocks” following a corporation being named. “I have not heard that this was a huge financial setback, which leaves me quite skeptical about the naming of miscreant companies.”

Thus, she said, her first recommendation is that PIPEDA be amended to either include statutory damages to be administered by the federal court or provide the privacy commissioner with order-making powers and/or “the power to impose administrative monetary penalties where circumstances warrant.”

“We’re in a new business world where companies can stay financial powerhouses despite flouting fair information principles,” she said by way of explanation. “’Privacy is good business’ is not a mantra that I’m repeating anymore, because companies can get away with flouting privacy and still make a ton of money.”

She told the room of privacy professionals that this is actually a good thing as far as they’re concerned. “You need compliance enforcement to help you support your work.” A bigger stick in the hand of the privacy commissioner ought to get corporations to give CPOs a better seat at the corporate table.

But that’s not the only change she’d like to see made. She wants to see breach notification become mandatory, so that organizations must report breaches to the OPC and notify individuals where warranted. Failing to do so should result in a penalty in some cases, Stoddart said.

As the law stands now, it’s unfair to the country’s good actors, she said. “The current regulation is unacceptable,” she said. “Organizations that do voluntarily report breaches may face public shame and the expense of cleaning up, while those who do not report may escape with no harm to reputation or bottom line unless they are found out. This is an uneven playing field.”

This increased transparency is in line with expectations of Canadian citizens, Stoddart said, and she also feels PIPEDA should be amended so that those authorized disclosures of PII that companies make to law enforcement under paragraph 7(3)(c.1) are publicly reported.

“More transparency is needed,” she said, “to show how, and why, and how often this mechanism is used.”

Finally, the last major area where PIPEDA needs amendment, Stoddart said, is in the area of the accountability principle in Schedule 1. Companies, she said, should be required to demonstrate, on demand, that they are meeting the privacy principles in PIPEDA. “There needs to be some enforcement power,” she said, “some hook…It’s a bit naïve to think that this will all happen without some incentive, which would be the power to say, ‘Okay, it’s your turn today, demonstrate to me that you are accountable.’ Too often, our investigations over the years have shown that companies have repeatedly failed to adapt their privacy-governance processes to address certain problems, even in some cases after we’ve investigated them.”

Thus, Stoddart believes PIPEDA should include the concept of enforceable agreements and accountability provisions subject to review by a federal court.

Again, she said privacy professionals should welcome this kind of change. It will take this kind of enforcement power “to ensure that privacy attains the prominence it deserves within organizations—we need incentives that will help support your critical work,” she told the audience, “as privacy professionals.”

Read More By Sam Pfeifle:
Creating a Data Empire (with Uncle Enzo and Steve Sneak)
What Went Wrong at Bloomberg, and Where Do They Go Now?
The Impact of SP 800-53: Putting Privacy and Security Side-By-Side
Will the White House Soon Have A Chief Privacy Officer or Not?