The job can be daunting. Besides high-profile data breaches, such as the TJX case involving customers of Winners and HomeSense stores, Stoddart has dealt with issues stemming from the many ways people’s private information can migrate into others’ hands. Just recently, an Ontario court ruled Internet service providers could pass information about their subscribers to police without a warrant. The case involved Bell Canada providing information to investigators on an alleged child pornography case, but privacy advocates worry the ruling opens the door to excessive police intrusion into people’s web-surfing habits.

At the same time, Stoddart finds herself coming up against some Canadians’ own indifference to protecting their privacy. “One of the things we’re dealing with is that people push their privacy or their personal information protection to the background because they see so many advantages and conveniences in new technologies,” she says. In particular, she worries about people embracing social networking sites such as Facebook “with sometimes gay abandon” by, for example, posting pictures anyone can access. “These are the challenges now. The challenges come to a great extent from commercial innovation.”

Still, colleagues such as David Flaherty say Stoddart has risen to those challenges. A former B.C. privacy commissioner who sits on Stoddart’s external advisory committee, Flaherty says he first noticed Stoddart in the early 1980s when, as a young historian, she wrote an essay on the status of women in Quebec for a publication he edited. “One of the interesting things about her was that as an anglophone from Toronto, she so immersed herself in Quebec society,” he says.

As a result, Flaherty welcomed Stoddart’s appointment to the federal role and says she has been “quiet but effective.” “I think she has done an excellent job in difficult circumstances,” he says, referring to the Radwanski affair. In particular, he says she has spoken forcefully against the threat of privacy intrusions under the guise of national security laws, something Flaherty says shows she can walk the line between her roles as an enforcer and as an advocate for Canadians.

Philippa Lawson, the former executive director of the Canadian Internet Policy and Public Interest Clinic in Ottawa, praises Stoddart’s personal style. As an advocate for privacy rights who has taken on some of Canada’s biggest corporations, Lawson has butted heads with Stoddart but says the commissioner always listens and took her former organization’s complaints seriously. “As a person, you can’t get any better, and that really helps a lot.” Lawson says Stoddart has been particularly effective as a public speaker on privacy issues. “I think she’s a really solid privacy commissioner.”

Nevertheless, people like John Lawford, a lawyer with the Public Interest Advocacy Centre in Ottawa, disagree with aspects of Stoddart’s approach. One of his biggest concerns is Stoddart’s reluctance to be aggressive with companies that are loose with Canadians’ privacy by naming them in her decisions. As well, he has been critical of Stoddart’s rebuffing of proposals to grant her office the power to make orders against businesses as opposed to just issuing recommendations, which allows companies to “just plain ignore them.”

Stoddart, meanwhile, maintains that her role is similar to that of an ombudsperson where the job is about resolving complaints rather than litigating against alleged violators. “At that level, that’s where I think she’s lacking the fire, and that’s unfortunate,” says Lawford. “I think a lot of that is not her fault. I think a lot of it is because the office was so weakened because they had Radwanski come in and be so much full of fire that he kind of left a burnt bridge or a crisp trail behind him. She was concerned about rebuilding the office — which I think she has done — and got them on an even keel over there and not had them abolished by Parliament, which might have been an outcome.”

One of the areas that’s becoming an increasing challenge for Stoddart is the need for rules to deal with privacy violations that happen outside Canada. A big risk, for example, is the security of data passed through outsourcing arrangements between Canadian companies and operations overseas. “Of course, the legal rules are still largely made for another era, not for instantaneous transmission,” says Stoddart.

That problem came to mind recently when she found herself on the phone talking to a representative in India about ink she had bought for her Dell computer. “I gave him quite a lot of my personal information,” she says. “What happens if, in fact, he turns rogue [and] he sells this information? Where is my recourse as a citizen? If I go to the office of the privacy commissioner in Canada, because it’s obviously international, what can I do then? What are my contacts with Dell? What laws apply? Who can enforce them? Who can look at remedies? It’s just multiplied throughout the world.”

As a result, Stoddart is increasingly working with international organizations such as the Organisation for Economic Co-operation and Development to find ways of dealing with cross-border flows of personal information. But so far, what remedies exist under a scenario like the Dell one aren’t clear. “India, as I understand, does not have a data protection regime like the Canadian one, although I’ve seen drafts of laws being discussed,” she says. “What I understand has happened is that the multinationals that I meet set up their own regimes within Indian contract security penal law where the workers are subjected to very demanding employment conditions which include total confidentiality and security of the information.”

As well, Stoddart notes more international co-operation is also necessary. “Perhaps the ideal way of doing it is that there be data protection authorities in a global network where we can rely on mutual enforcement of similar standards among each other.”