New "Human Rights" Commission in the works

Clement open to fines for lax security

* 7 May 2011
* Ottawa Citizen
* By Sarah Schmidt

Industry Minister Tony Clement is open to the idea by Canada’s privacy watchdog to give her the power to slap corporations with fines if they don’t protect their customers’ personal information.

“I have not closed the door to it, but there would have to be additional consultations on that issue,” he said.

Earlier this week, Privacy Commissioner Jennifer Stoddart said the federal government should update the country’s private-sector privacy law to include fines, given the “alarming trend toward everbigger” data breaches.

“It seems to me that it’s time to begin imposing fines — significant, attention-getting fines — on companies when poor privacy and security practices lead to breaches,” Stoddart told a privacy forum.

Under Canada’s privacy law governing the private sector, Stoddart has no power to impose any fines and companies are not required to report breaches to her office.

The Conservative government’s most recent proposal to update the law — which died when the federal election was called — did not include any powers to impose fines. But the proposal stated a company would have to report a “material” data breach to the privacy commissioner if the company concluded that the breach indicated a systemic problem.

Other factors to consider when determining if the mandatory-reporting rule kicked in included the sensitivity of the information and the number of customers affected.

The amendments were tabled in May 2010 following a mandatory statutory review of the law carried out in 2008. Stoddart said much has changed since those consultations about the Personal Information Protection and Electronic Documents Act (PIPEDA), so she’s asking Industry Canada to consider fresh amendments to empower her to impose fines for massive data breaches.

Clement acknowledged Friday that a lot of time has passed, saying “I think it does behoove us to do those consultations again.”

He added that the issue is a priority under the government’s digital-economy strategy.

This is welcome news for John Lawford, a staff lawyer for the Public Interest Advocacy Centre who participated in the earlier review of the private-sector privacy law.

He supports Stoddart’s push for powers to slap fines on companies in cases of big data breaches, but Lawford said there’s an even bigger problem with last year’s proposed amendments.

“You’ve got to fix the first part,” Lawford said, of the discretionary given to companies to decide whether a breach meets the test for mandatory reporting.