Privacy commissioner wants power to impose 8-figure fines against offenders

TORONTO – Canada’s privacy commissioner Jennifer Stoddart says she’s tried naming and shaming some of the world’s largest companies into respecting the privacy of Canadians.

But, she admits, it hasn’t really worked.

So she wants to hit them where it hurts: on companies’ bottom lines.

Stoddart wants Canada’s Federal Court to have the power to impose punishing penalties when organizations run afoul of privacy laws. And not a slight slap on the wrist that companies can budget for, she’s talking fines in the neighbourhood of eight figures.

Pointing to a record-high US$22.5 million fine successfully levied against Google last year by the U.S. Federal Trade Commission, Stoddart says there’s no reason Canada can’t be just as tough.

“That kind of fine gets the attention of the organization the way my requests to change their practices and give us a report doesn’t,” says Stoddart, who has previously called for fines without stating how big they should be.

“I think that’s what’s needed. You need something to capture the attention of (companies about) the importance of Canadian regulation for operating in Canada with Canadians’ personal information. It has to be significant enough so that investors, financial analysts and so on will go, ‘Whoops, what’s happening here?'”

Stoddart’s comments followed a speech at a conference in Toronto hosted by the Canadian chapter of the International Association of Privacy Professionals, where she released a position paper suggesting that the Personal Information Protection and Electronic Documents Act is weak, outdated and in need of a major update.

She noted the act came into effect before Facebook and Twitter were launched and before legislators could imagine the implications of technologies like Google’s Street View.

Among the recommendations in her paper are calls for a range of financial penalties that could be imposed by Federal Court, the ability to order organizations to halt privacy-infringing activities, and a requirement that companies report breaches of personal information.

Stoddart, whose mandate is due to expire in December after 10 years on the job, said the federal government has shown interest in privacy issues but she doesn’t know how her successor will fare in working toward stronger regulations.

“Certainly a lot of respect has been shown to my office, whether these changes make it to the legislative agenda sooner or later I can’t predict, but I do predict that eventually Canada will have to move,” she said.

Stoddart has won major victories in convincing companies such as Facebook and Google to adapt their practices to Canadian law, but she noted that the fight to keep companies onside is never-ending.

“The challenge for us is they’re always coming up with new products and these products always tend to push the boundaries,” she said.

“The privacy landscape is changing, there’s increasing and new technologically challenging threats to privacy, and in order to make organizations more aware of their privacy obligations I think we need some more incentives. Presently, there are none.”

Stoddart’s position paper “The Case for Reforming the Personal Information Protection and Electronic Documents Act”: