It’s a pain, but Jennifer Stoddart is quite happy to put a password on her BlackBerry. Of course, she’s the same person who keeps a shredder in her bedroom. And retailers beware: Forget asking Stoddart for her phone number at the cash register. “Giving out my home phone number in order to buy a tube of lipstick, I’ll push back because this all goes into making your marketing profile, which is often based on telephone numbers. It’s not a legal requirement to give your telephone number to purchase anything.”
Stoddart has good reason to be leery. As the federal privacy commissioner, she is constantly exposed to scams and data breaches. In 2005, in fact, she became the “unwanted main character” in a Maclean’s magazine story about Canadians’ vulnerability to leaks of their cellphone records. After paying a U.S. data broker $200, the magazine got detailed lists of her calls and then handed them to her. The case was a good lesson in how even Canada’s privacy watchdog wasn’t safe from scammers seeking profit by sharing personal information.
Since taking on the job in 2003, Stoddart has championed Canadians’ privacy rights. From speaking out recently against the Conservative government’s plans to let police listen in on people’s Internet-based conversations to taking on retailer TJX Companies Inc. over the leaking of customer credit card data to hackers in 2007, she has made it clear governments and businesses need to do more to guard against intrusions. “Unfortunately, there’s a growing big bad world of cyber-thieves out there,” she says. “There’s a whole black market in stolen credit cards, stolen SIN numbers, full addresses.”
Defending rights, in fact, has been a focus for Stoddart since she finished law school at McGill University in 1980. Her career has spanned the federal and Quebec public services, including her first job out of law school working for the now-defunct Advisory Council on the Status of Women. She then went on to work for both the Canadian and Quebec human rights commissions before becoming president of the Commission d’accès à l’information du Québec. “I guess when it’s all said and done, one of the important things about life is what you’ve contributed, what you’ve done for your society, what you’ve added to it in a positive way,” she says. “I’d say social justice obviously, but more than that issues of fairness and equity in society, [and] issues of appropriate public policy, whether it be hands on or hands off.”
The daughter of a lawyer, Stoddart says her choice to pass up private practice for public service has been a good fit. “There are really important issues, and I just find it personally more fulfilling to work in government on public policy issues than I would working for one client. I always have problems seeing only one side of an issue so I’m happiest in issues where there is a kind of adjudicative value [and] there is an analysis because I find it’s very rare that one side is totally right, and the other side is totally wrong.”
The switch from human rights law to privacy issues was a natural one, she adds. “Certainly there’s a great similarity between human rights commissions [and privacy],” she says, noting privacy issues fell under federal human rights legislation until the government passed a separate law in 1982.
But since becoming privacy commissioner, a big focus has been resuscitating an office decimated by public controversy over her predecessor George Radwanski, whose spending habits were the subject of a fraud trial that ended with his acquittal this year. Radwanski left in disgrace in 2003. “It was very difficult, and there were at least four investigative bodies here when I took over,” says Stoddart. They were “reviewing everybody’s level of classification, which is basically your salary level in the public service. Nothing can be more threatening than somebody going along saying ‘I think you’re overpaid’ and then issuing recommendations to me. I think there were 20 classifications they suggested that I should downgrade. . . . I didn’t downgrade them all. That was my discretion. I had to defend it.”
Stoddart has turned the office around in concert with increases to her office’s budget from the government. As a result, staffing levels have doubled to about 160 people from 85 when she took over. “We have a whole new generation of young privacy lawyers,” she says, noting it’s only now that many new practitioners are getting specific training in privacy and access to information issues.
The job can be daunting. Besides high-profile data breaches, such as the TJX case involving customers of Winners and HomeSense stores, Stoddart has dealt with issues stemming from the many ways people’s private information can migrate into others’ hands. Just recently, an Ontario court ruled Internet service providers could pass information about their subscribers to police without a warrant. The case involved Bell Canada providing information to investigators on an alleged child pornography case, but privacy advocates worry the ruling opens the door to excessive police intrusion into people’s web-surfing habits.
At the same time, Stoddart finds herself coming up against some Canadians’ own indifference to protecting their privacy. “One of the things we’re dealing with is that people push their privacy or their personal information protection to the background because they see so many advantages and conveniences in new technologies,” she says. In particular, she worries about people embracing social networking sites such as Facebook “with sometimes gay abandon” by, for example, posting pictures anyone can access. “These are the challenges now. The challenges come to a great extent from commercial innovation.”
Still, colleagues such as David Flaherty say Stoddart has risen to those challenges. A former B.C. privacy commissioner who sits on Stoddart’s external advisory committee, Flaherty says he first noticed Stoddart in the early 1980s when, as a young historian, she wrote an essay on the status of women in Quebec for a publication he edited. “One of the interesting things about her was that as an anglophone from Toronto, she so immersed herself in Quebec society,” he says.
As a result, Flaherty welcomed Stoddart’s appointment to the federal role and says she has been “quiet but effective.” “I think she has done an excellent job in difficult circumstances,” he says, referring to the Radwanski affair. In particular, he says she has spoken forcefully against the threat of privacy intrusions under the guise of national security laws, something Flaherty says shows she can walk the line between her roles as an enforcer and as an advocate for Canadians.
Philippa Lawson, the former executive director of the Canadian Internet Policy and Public Interest Clinic in Ottawa, praises Stoddart’s personal style. As an advocate for privacy rights who has taken on some of Canada’s biggest corporations, Lawson has butted heads with Stoddart but says the commissioner always listens and took her former organization’s complaints seriously. “As a person, you can’t get any better, and that really helps a lot.” Lawson says Stoddart has been particularly effective as a public speaker on privacy issues. “I think she’s a really solid privacy commissioner.”
Nevertheless, people like John Lawford, a lawyer with the Public Interest Advocacy Centre in Ottawa, disagree with aspects of Stoddart’s approach. One of his biggest concerns is Stoddart’s reluctance to be aggressive with companies that are loose with Canadians’ privacy by naming them in her decisions. As well, he has been critical of Stoddart’s rebuffing of proposals to grant her office the power to make orders against businesses as opposed to just issuing recommendations, which allows companies to “just plain ignore them.”
Stoddart, meanwhile, maintains that her role is similar to that of an ombudsperson where the job is about resolving complaints rather than litigating against alleged violators. “At that level, that’s where I think she’s lacking the fire, and that’s unfortunate,” says Lawford. “I think a lot of that is not her fault. I think a lot of it is because the office was so weakened because they had Radwanski come in and be so much full of fire that he kind of left a burnt bridge or a crisp trail behind him. She was concerned about rebuilding the office — which I think she has done — and got them on an even keel over there and not had them abolished by Parliament, which might have been an outcome.”
One of the areas that’s becoming an increasing challenge for Stoddart is the need for rules to deal with privacy violations that happen outside Canada. A big risk, for example, is the security of data passed through outsourcing arrangements between Canadian companies and operations overseas. “Of course, the legal rules are still largely made for another era, not for instantaneous transmission,” says Stoddart.
That problem came to mind recently when she found herself on the phone talking to a representative in India about ink she had bought for her Dell computer. “I gave him quite a lot of my personal information,” she says. “What happens if, in fact, he turns rogue [and] he sells this information? Where is my recourse as a citizen? If I go to the office of the privacy commissioner in Canada, because it’s obviously international, what can I do then? What are my contacts with Dell? What laws apply? Who can enforce them? Who can look at remedies? It’s just multiplied throughout the world.”
As a result, Stoddart is increasingly working with international organizations such as the Organisation for Economic Co-operation and Development to find ways of dealing with cross-border flows of personal information. But so far, what remedies exist under a scenario like the Dell one aren’t clear. “India, as I understand, does not have a data protection regime like the Canadian one, although I’ve seen drafts of laws being discussed,” she says. “What I understand has happened is that the multinationals that I meet set up their own regimes within Indian contract security penal law where the workers are subjected to very demanding employment conditions which include total confidentiality and security of the information.”
As well, Stoddart notes more international co-operation is also necessary. “Perhaps the ideal way of doing it is that there be data protection authorities in a global network where we can rely on mutual enforcement of similar standards among each other.”
Lawson, however, says on that issue Stoddart’s office has trod carefully. A few years ago, she asked the office of the privacy commissioner to look into an American web site, abika.com, that was, according to court documents, allegedly selling information about Canadians, including background checks, psychological profiles, cellphone numbers, and criminal records. Lawson, who paid $119 for a report on herself, filed a complaint under the Personal Information Protection and Electronic Documents Act alleging the company gave out information on Canadians without their permission.
Stoddart’s office, though, declined to probe the case, arguing it didn’t have jurisdiction to take action against companies outside Canada even though the complaint had merit. In response, Lawson took the commissioner to Federal Court, which ruled that while privacy legislation doesn’t specifically authorize her to investigate such matters, it doesn’t preclude her from doing so either. Further, the judge noted that while probing the case might be difficult, especially when the alleged violator declines to respond or co-operate, that doesn’t mean it’s not worth a try. The commissioner could also attempt to locate the company’s Canadian operations, the judge wrote.
It was the second time Lawson had launched a court challenge against the privacy commissioner over a cross-border matter, something she argues exemplifies the office’s cautious approach. At the same time, Lawson disagrees with Stoddart’s point that contracts between Canadian companies and the entities they outsource to can mitigate the risks of data breaches since a foreign government — under the U.S. Patriot Act, for example — can override those agreements through the guise of national security. As a result, she’d like to see Stoddart adopt a blacklist of countries that don’t offer comparable privacy protection to Canadian laws.
Stoddart has identified changes she would like to see to federal privacy legislation to improve protections. In particular, she recommended several amendments to the Privacy Act, which governs the actions of government departments. Much of the advice focuses on how departments manage privacy issues, especially in light of information-sharing practices that have developed among law enforcement agencies following the Sept. 11, 2001, terrorist attacks. The Canada Border Services Agency should consider its practice of verbally sharing information with other countries and track how often it does so, Stoddart’s office recommended. She also addressed the issue of mandatory reporting of data breaches to her office, something neither government agencies nor private companies have to do now. “There are some irritants in PIPEDA that should be ironed out,” she says, noting the act is to come up for review next year.
Still, Lawson would like the government to go a few steps further in reforming privacy legislation. First, she wants authorities to lessen the financial risks people who take privacy cases to Federal Court face when they lose and find themselves liable for costs. As well, she feels the court process should protect complainants’ personal information, something that doesn’t happen even though privacy is usually what the case is all about.
Lawford, too, would like to see Stoddart have the authority to, in some cases, prohibit the transfer of sensitive information to outsourced companies overseas. “That could be an outcome, but we’re not there because when she had a chance to ask for order-making powers, she didn’t,” he says, referring to her remarks before a parliamentary committee reviewing PIPEDA a few years ago.
Stoddart, though, does have her hands full with the constantly emerging ways Canadians find their privacy in jeopardy. Just recently, her officials met with representatives of Google Inc. over that company’s plans to introduce interest-based advertising, which essentially allows marketers to target consumers based on what they do on the Internet, including the web pages they visit. “Clearly, behavioural advertising generally is again another challenge,” she says, noting that while companies may vow to collect information in a way that masks who the user is, such protections don’t always work out as planned. “[Y]ou have data spills inadvertently. You have data breaches. You have organized crime being interested.”
One of the biggest issues, however, involves balancing the need to protect privacy with the desire by law enforcement agencies to probe cases that technology has rendered increasingly complex. Even in cases that appear to be legitimate intrusions for the purposes of law enforcement, Stoddart remains cautious. She praises Alberta privacy commissioner Frank Work’s victory in that province’s courts against a bar that challenged restrictions on the scanning of driver’s licences. The club owners argued collecting the information would help prevent violence in bars, but Work ruled the bar didn’t prove that doing so would stop the problem and ordered it to stop. Recently, the courts upheld that conclusion.
It’s on such stances against a so-called “surveillance society” that people like Lawford praise Stoddart’s performance despite concerns over her actions against the private sector. In the end, however, Stoddart herself acknowledges the conflicts inherent in privacy protection. Even she doesn’t follow all the advice privacy advocates put out there. She doesn’t do anything different with her garbage, for example, despite stories about how vulnerable it can be to intruders. And while she worries about financial institutions sending out pre-approved cheques to their customers, she’s not yet ready to heed recommendations to lock her mailbox.