One of her priorities is to strengthen PIPEDA, the Personal Information Protection and Electronic Documents Act, when it faces a mandatory review by Parliament later this year.
The main items that Stoddart has hinted she’ll push for include increased enforcement powers for the Federal Privacy Commissioner and tougher penalties for companies found to have failed to comply with PIPEDA, including publicly naming violators.
With regards to enforcement and penalties, Commissioner Stoddart notes that Canada has “become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines.” In contrast, “the CRTC has the power to to impose fines for violations of the do-not-call rules (and recently slapped Bell Canada with a record-setting $1.3-million penalty).” In addition, “there are significant fines – $10 million for businesses – provided for in the new anti-spam law.” Furthermore, privacy regulators like the UK Information Commissioner and the Spanish Data Protection Agent all use their enforcement powers to successfully signal that privacy violations will be met with financial penalties.
Finally, Commissioner Stoddart candidly admitted that there is a growing discomfort with the secretive nature of privacy investigations under PIPEDA:
It seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings.