Who’s protecting your privacy rights?

Recently, Canada’s Privacy Commissioner Jennifer Stoddart found Facebook violated federal privacy law and had failed to implement corrective measures with respect to four major privacy gaps. Curiously absent from the decision and media coverage was any mention of enforcement action resulting from such findings. Instead, the media reported the privacy commissioner and Facebook were “at odds” but (thank goodness) were “pledging co-operation” and “continuing dialogue.”

The reality is that notwithstanding the commissoner’s findings, she has little power to do anything — highlighting Canada’s anemic approach to enforcement of federal private sector privacy laws.

We won’t debate the merits of the Facebook decision or cogitate whether Canada’s privacy laws strike the right balance between individual privacy rights and the needs of organizations and business. The decision, however, highlights the paradox of our federal government responding to an important issue of public policy by adopting legislation (the Personal Information Protection and Electronic Documents Act) that mandates compliance with rules governing the collection, use, and disclosure of personal information, but at the same time not equipping the privacy commissioner with powers to enforce compliance or punish violators.

In fact, the commissioner is empowered solely to conduct investigations, make recommendations, and attempt resolution through mediation. Should these mechanisms fail, the commissioner can only issue a report detailing factual findings and recommendations and, at her discretion, publicly naming the subject of complaint. This quintessentially Canadian “hammer” falls well short of effective enforcement power. Instead, a complainant must bring an action in Federal Court to have the recommendations enforced. The court, to date, has accorded little deference to her recommendations or findings; actions are heard de novo.

In provinces that have private sector privacy legislation, the approach departs significantly from the federal one and is more congruous with the import of privacy rights. In Alberta, British Columbia, and Quebec, privacy commissioners have meaningful order-making power. While the emphasis remains on alternative dispute resolution, the provincial commissioners have the statutory power to proceed to formal inquiry if investigation and mediation are unsuccessful. In fact, provincial commissioners have the power to decide all questions of fact and law arising in the course of an inquiry. Issues are disposed of by the making of orders.

In Alberta, once an order has been filed with the Court of Queen’s Bench, it is enforceable as a judgment of that court. In B.C., non-compliance with an order is an offence punishable by fine. Subject to applicable privative provisions, parties have the right to seek judicial review (thus according a degree of protection from regulatory overindulgence). The provincial courts also accord significant deference to the decisions. In Quebec, the right of privacy is not only protected under privacy legislation but enshrined in its Charter of Human Rights and Freedoms.

Resort to such provincial order-making powers has been judicious and restrained. “People may tend to ignore the federal commissioner because she has little power to enforce compliance,” says Stephen Burns, a Calgary partner at Bennett Jones LLP. “In the Western provinces, we have a tendency toward building a collaborative atmosphere seeking to work with the provincial commissioners as failure to do so can have direct consequences. As a result, the provincial order-making powers have only sparingly been used.” According to Daniel Paul, a partner at BCF LLP in Montreal, the experience in Quebec has not been dissimilar. “The review process [in Quebec] is rather efficient,” he says.

Harmonization between the federal and provincial regimes (constitutional issues aside) has merit. In fact, in 2007, the Commons standing committee on access to information concluded the second-generation privacy acts of Alberta and B.C. provide a more practical and updated reflection of privacy protection. Ironically, the same committee also recommended the federal commissioner not be granted order-making powers, based on submissions from Stoddart herself that it was not then opportune to do so.

However, requiring complainants to bring actions in Federal Court to enforce compliance with federal privacy laws is a deterrent to compliance and an inefficient use of resources. Lack of enforcement calls into question Canada’s seriousness about enforcing Canadians’ privacy rights and arguably creates an uneven playing field between organizations and businesses that choose to be privacy compliant and those that don’t.

Now that the federal privacy commissioner’s office appears rehabilitated from its past controversies, it is time to end Canada’s privacy paradox and introduce order-making power. Though the privacy commissioner and Facebook appear to have resolved their differences, such a hammer would be a powerful tool in facilitating the commissioner’s dialogue with those that choose not to toe the line.

Bryan Haynes ([email protected]) is a partner and co-chairman of the commercial transactions practice group at Bennett Jones LLP. This column is his personal opinion and is not legal advice.