In terms of the Commissioner’s powers, Jennifer Stoddart questions whether her so-called “ombudsman approach” lacks the order-making powers of other pieces of privacy legislation such as B.C.’s or Alberta’s. On the other hand, Stoddart describes this type of role as one that is a more approachable and flexible way to handle conflict between two parties.
Privacy experts agree that PIPEDA needs more teeth but differ in opinion when it comes to how and when this should be applied. Ian Turnbull, director of the Canadian Privacy Institute, said the current legislation isn’t clear about a company’s rights or obligations.
“(Stoddart) needs to have more clout,” Turnbull said. “Does that translate into more direct authority to punish? Maybe.”
Likewise, Sara Levine, a lawyer with Fasken Martineau law firm, who specializes in privacy and information protection, said the order-making framework provides certainty in the law.
“People are aware of the risks, and the risks amount to potentially naming and shaming,” said Levine. But Stoddart has rarely published the names of violators, she said.
“They can’t be ordered to do anything if the company has been found in some way to breach the law,” she said. “The reality is companies would comply with the recommendation of the privacy commissioner.”
Both Levine and Turnbull said that the privacy commissioner’s case summaries lack detail and are often vague when referring to the offending company.
“If you read a lot of the commissioner’s cases, they talk about a railway company or a major retailer or some phrase that may allow you to get who it is, but most of the time leaves enough ambiguity that the guilty party doesn’t have to worry,” said Turnbull.
Many companies would opt to pay for damages rather than have their name dragged out in public, which could have more dire long-term consequences, he said.
“For most of these companies, it’s not the amount of money that causes them the most concern,” he said. “What causes them the most concern is public reaction.”
Another key issue that the commissioner brought up in her report was that of duty to notify. Highly-publicized ID theft cases in the U.S. such as Choicepoint have caused many states to push through laws that require companies to notify people of a data breach after it occurs. In her report, Stoddart mentioned Ontario’s Personal Health Information Protection Act as the only piece of legislation in Canada that requires notification after a breach has occurred.
Stoddart writes: “Some may argue that PIPEDA should include a similar duty to notify the individuals affected after a security breach.”
But Levine warns of the potential implications of such a requirement, the major one being too many data breach notifications, which could cause people to pay less attention to the issue.
“If the requirement to notify occurs regardless of the type of information that has been breached, then the effectiveness of the notification is diminished,” she said.
The commissioner’s office is taking feedback from the public until next month. The office is planning to release a report on this feedback sometime this fall, according to a department spokesperson.