Jennifer Stoddart blazes a global trail for privacy protection

The Globe and Mail

Canada's Privacy Commissioner Jennifer Stoddart: "If we continued to only deal with the paper world we would lose our relevance to Canadians." (PATRICK DOYLE/The Globe and Mail)

In a country where business cops have a history of pulling more punches than they have thrown, Jennifer Stoddart is a sheriff to be feared.

As Canada's Privacy Commissioner for the last seven years she has transformed a once embattled agency into a pioneering regulator that has blazed a global trail for privacy protections. She has scolded Internet titans Facebook and Google into tightening flimsy privacy settings. On her home turf, Canadian telecom, financial and retail companies have bowed to demands to stop tracking or sharing customers' digital footprints without permission. And she must be the only regulator that has posted a children's video about privacy rights on YouTube.

Story continues below ad

"She has taken the lead in sounding the privacy alarm," said John Simpson, a consumer advocate with Consumer Watchdog in Santa Monica, Calif.

Adds Jeff Chester, executive director of the Washington-based Center for Digital Democracy: "She's given Canada a huge profile on the global privacy stage."

How did an Ottawa-based regulator with limited enforcement powers earn so much credibility?

The answer may be that opponents underestimated Ms. Stoddart, a 61-year-old former civil liberties lawyer who likes to relax by riding her horse for hours through endurance trials. On the surface there was much to underestimate. The commissioner was a virtual unknown outside of Canada until a few years ago. And her powers are so limited that her office can only order privacy offenders into line by filing a claim in Federal Court, a cumbersome and unpredictable process.

So it is little surprise that California-based Internet heavyweights such as Google and Facebook initially paid little attention to the small privacy regulator in a far away place called Ottawa. It didn't help that the companies are located in a country that has the distinction of being one of the few world powers without a national privacy act or regulator.

When the Web giants began moving across the border in a big way in the mid 2000s, they apparently didn't notice that Canada had a fresh set of privacy laws requiring companies to give customers a clearly worded choice to stop companies, including websites, from sharing private information.

"Obviously no one bothered to look to see if Canada had laws on this," Ms. Stoddart said tartly during an interview from her small Ottawa office.

The oversight prompted the Privacy Commissioner of Canada to launch in 2008 the world's first investigation into Facebook's scanty privacy safeguards. The regulator also slowed Google's plans to send cars armed with cameras to capture and post images of virtually every urban inch of the country on its Google Street website.

Initially, the U.S. Goliaths co-operated with the David-like regulator. Last year, Facebook agreed to recalibrate its global privacy settings to make it easier for users to protect their information and photographs. It also promised to introduce by this summer tighter barriers limiting software developers and others from collecting and storing user's data.

Google was so attentive that it hired Canadian technology lawyer Jacob Glick as its in-house Ottawa counsel to help manage, among other things, privacy issues. The collaboration saw Google Street launched in Canada last year with such innovations as a "take down" protocol that allows residents to request the removal of any personal photos they don't want posted on the site.

The privacy honeymoon, however, was short lived. In the past two months, Internet heavyweights have shown a surprising indifference to privacy rights as they race to profit from their large warehouses of customer data. The shift has set them on a collision course with Ms. Stoddart and nearly a dozen of her European counterparts.

Google fired the first shot by revealing the g-mail habits of millions of customers as part of its rollout of the social media site, Google Buzz in February. That prompted the federal privacy commission to publicly reprimand the company.

Facebook took it up another notch last week by rolling out a number of changes that allow, among other things, third-party application developers to capture and store users social media activities and data. The move appears to veer from Facebook's promise to the privacy commission last year to allow users to block such data grabs by this summer.

"They are snubbing their nose at the privacy commission," said David Fewer, an Ottawa University law professor whose 2008 complaint with the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook's triggered the regulator's investigation.

Ms. Stoddart is not an easy person to snub. One month after Google Buzz was launched, she was in Paris urging her European counterparts to make a public joint stand.

The effort culminated in an unprecedented press conference in Washington last week during which she and nine other regulators warned that the Google Buzz stumble was "the last straw." An angry letter to Google chief executive officer Eric Schmidt was signed by Ms. Stoddart.

"She has had an impact on privacy that is out of proportion to her relative place in the world," said David Young, a privacy expert with Lang Michener LLP.

One of the more remarkable things about Ms. Stoddart's influence is that she wields it from an agency that appeared headed for the dust bin in 2003 when she was parachuted in.

Formerly president of Quebec's Access to Information Commission, Ms. Stoddart arrived at an agency that she said was "shell shocked" by a lavish spending scandal that torpedoed the career of her predecessor George Radwanski. For the first four years of her term, she concentrated on rebuilding staff, deepening ties with Parliament and enforcing new privacy rules with bricks and mortar companies.

When CIPPIC filed its 2008 complaint against Facebook, she said she initially spent "sleepless nights wondering" if her "fragile" office was up to the task of adding the Internet to its privacy police beat.

"It was not one we could duck," she said. "If we continued to only deal with the paper world we would lose our relevance to Canadians."

The case earned the commission global respect, but now that Internet players are pushing back, the next move may be to seek enhanced powers to issue orders against privacy abusers. Ms. Stoddart has said in recent speeches that her regulatory framework has been "sorely tested" by rapid technological change. She said an independent study by academics Lorne Sossin and France Houle is due shortly and could pave the way for new rules.

If increased powers are granted by Parliament, they will likely arrive after Ms. Stoddart has moved on. Her seven-year term is due to expire at the end of the year and she said she is "pursuing a number of options."

She may be months away from the exit door, but there is little sign that she is ready to give up the fight.

"We can't continue to accept willful disregard or needless disregard of the privacy rights of citizens."



Editor's Note: Canada's Privacy Commissioner publicly reprimanded Google Inc. for "alleged privacy violations" when the Internet company exposed the activities of its gmail users as part of its launch of Google Buzz. Google has since apologized and changed some of its practices. An earlier online version of this story published Wednesday incorrectly said that the Commissioner is investigating Google.