Canada’s Privacy Commissioner has taken on the Internet heavyweights –
and transformed her office in the process
In a country where business cops have a history of pulling more
punches than they have thrown, Jennifer Stoddart is a sheriff to be
As Canada’s Privacy Commissioner for the last seven years
she has transformed a once embattled agency into a pioneering regulator
that has blazed a global trail for privacy protections. She has scolded
Internet titans Facebook and Google into tightening flimsy privacy
settings. On her home turf, Canadian telecom, financial and retail
companies have bowed to demands to stop tracking or sharing customers’
digital footprints without permission. And she must be the only
regulator that has posted a children’s video about privacy rights on
"She has taken the lead in sounding the privacy alarm,"
said John Simpson, a consumer advocate with Consumer Watchdog in Santa
Adds Jeff Chester, executive director of the
Washington-based Center for Digital Democracy: "She’s given Canada a
huge profile on the global privacy stage."
How did an Ottawa-based
regulator with limited enforcement powers earn so much credibility?
answer may be that opponents underestimated Ms. Stoddart, a 61-year-old
former civil liberties lawyer who likes to relax by riding her horse
for hours through endurance trials. On the surface there was much to
underestimate. The commissioner was a virtual unknown outside of Canada
until a few years ago. And her powers are so limited that her office can
only order privacy offenders into line by filing a claim in Federal
Court, a cumbersome and unpredictable process.
So it is little
surprise that California-based Internet heavyweights such as Google and
Facebook initially paid little attention to the small privacy regulator
in a far away place called Ottawa. It didn’t help that the companies are
located in a country that has the distinction of being one of the few
world powers without a national privacy act or regulator.
Web giants began moving across the border in a big way in the mid
2000s, they apparently didn’t notice that Canada had a fresh set of
privacy laws requiring companies to give customers a clearly worded
choice to stop companies, including websites, from sharing private
"Obviously no one bothered to look to see if Canada
had laws on this," Ms. Stoddart said tartly during an interview from her
small Ottawa office.
The oversight prompted the Privacy
Commissioner of Canada to launch in 2008 the world’s first investigation
into Facebook’s scanty privacy safeguards. The regulator also slowed
Google’s plans to send cars armed with cameras to capture and post
images of virtually every urban inch of the country on its Google Street
Initially, the U.S. Goliaths co-operated with the
David-like regulator. Last year, Facebook agreed to recalibrate its
global privacy settings to make it easier for users to protect their
information and photographs. It also promised to introduce by this
summer tighter barriers limiting software developers and others from
collecting and storing user’s data.
Google was so attentive that
it hired Canadian technology lawyer Jacob Glick as its in-house Ottawa
counsel to help manage, among other things, privacy issues. The
collaboration saw Google Street launched in Canada last year with such
innovations as a "take down" protocol that allows residents to request
the removal of any personal photos they don’t want posted on the site.
privacy honeymoon, however, was short lived. In the past two months,
Internet heavyweights have shown a surprising indifference to privacy
rights as they race to profit from their large warehouses of customer
data. The shift has set them on a collision course with Ms. Stoddart and
nearly a dozen of her European counterparts.
Google fired the
first shot by revealing the g-mail habits of millions of customers as
part of its rollout of the social media site, Google Buzz in February.
That prompted the federal privacy commission to launch an investigation.
took it up another notch last week by rolling out a number of changes
that allow, among other things, third-party application developers to
capture and store users social media activities and data. The move
appears to veer from Facebook’s promise to the privacy commission last
year to allow users to block such data grabs by this summer.
are snubbing their nose at the privacy commission," said David Fewer,
an Ottawa University law professor whose 2008 complaint with the
Canadian Internet Policy and Public Interest Clinic (CIPPIC) against
Facebook’s triggered the regulator’s investigation.
is not an easy person to snub. One month after Google Buzz was launched,
she was in Paris urging her European counterparts to make a public
The effort culminated in an unprecedented press
conference in Washington last week during which she and nine other
regulators warned that the Google Buzz stumble was "the last straw." An
angry letter to Google chief executive officer Eric Schmidt was signed
by Ms. Stoddart.
"She has had an impact on privacy that is out of
proportion to her relative place in the world," said David Young, a
privacy expert with Lang Michener LLP.
One of the more remarkable
things about Ms. Stoddart’s influence is that she wields it from any
agency that appeared headed for the dust bin in 2003 when she was
Formerly president of Quebec’s Access to
Information Commission, Ms. Stoddart arrived at an agency that she said
was "shell shocked" by a lavish spending scandal that torpedoed the
career of her predecessor George Radwanski. For the first four years of
her term, she concentrated on rebuilding staff, deepening ties with
Parliament and enforcing new privacy rules with bricks and mortar
When CIPPIC filed its 2008 complaint against Facebook,
she said she initially spent "sleepless nights wondering" if her
"fragile" office was up to the task of adding the Internet to its
privacy police beat.
"It was not one we could duck," she said. "If
we continued to only deal with the paper world we would lose our
relevance to Canadians."
The case earned the commission global
respect, but now that Internet players are pushing back, the next move
may be to seek enhanced powers to issue orders against privacy abusers.
Ms. Stoddart has said in recent speeches that her regulatory framework
has been "sorely tested" by rapid technological change. She said an
independent study by academics Lorne Sossin and France Houle is due
shortly and could pave the way for new rules.
If increased powers
are granted by Parliament, they will likely arrive after Ms. Stoddart
has moved on. Her seven-year term is due to expire at the end of the
year and she said she is "pursuing a number of options."
be months away from the exit door, but there is little sign that she is
ready to give up the fight.
"We can’t continue to accept willful
disregard or needless disregard of the privacy rights of citizens."