Shostack + Friends Blog Archive


Canadian Privacy Law

Michael Geist’s recent …

Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office should consider several changes to its reporting approach including releasing full reports and exercising its power by identifying the targets of well-founded privacy complaints. At the present time, those that violate Canada’s privacy law are invariably protected under a veil of anonymity.

The are all fine suggestions, but will they make a difference?

The fundamental problem is that Canadian regulators remain unable and unwilling to impose serious penalties for privacy infringements. So, what does a rational CEO choose to do? Spend as little as humanly possible on privacy issues until they mess up. Then the regulator shows up, and gently slaps them on the wrist. Today, it would quite possibly be a breach of fiduciary duty to spend a lot of money on security in Canada. Sure, there’s a need to comply with the law, but there’s also a need to do so economically.
Geist goes on to say:

Adopting a naming names approach to the well-founded subset of those findings could be manifestly justified on public interest grounds, providing the public with valuable information in assessing the privacy practices of Canadian organizations as well as sending a much-needed message that failure to comply with the law will result in serious consequences.

He’s absolutely correct here, but a little bit of a black eye isn’t a serious consequence. The commissioner needs to take cases to court, and see to it that substantial fines are imposed. Anything less will leave Canada’s law toothless.

(From “Interesting People,[IP] Canadian privacy law protects those who break it)

[Update: To be fair, Geist does conclude by discussing the need for effective enforcement, I just think that needs to be visible in the bottom line.]
[Update, 10/31: See my new post on this subject, Geist is more insightful on this than me.]