Personal info law becoming archaic, says federal privacy watchdog

OTTAWA – The federal law governing how companies handle personal information is too old to keep up with the rapidly expanding digital age, Canada’s privacy czar warned Thursday.

In her annual report on the law, Privacy Commissioner Jennifer Stoddart said the 13-year-old legislation was designed for another age — before online fraud, cyberbullying and data breaches routinely grabbed headlines.

She mused that at the turn of the millennium, “phishing” was done in lakes, an “app” was served before dinner, and “friending” was not a verb.

“Online shopping was a novelty and Internet banking was in its infancy. In waiting rooms and at bus stops, thumbs were twiddled; they didn’t flutter across tiny screens,” said her report tabled in Parliament.

“Amidst these frenetic changes, the protection of privacy is not child’s play. It demands a law that is strong and mature, nuanced and effective.”

The Personal Information Protection and Electronic Documents Act “is no longer up to the task,” said Stoddart.

It is just the latest — and perhaps final — call for legislative reform from Stoddart, whose tenure ends later this year.

Other countries’ data protection authorities have power to make binding orders, levy hefty fines and take significant action in response to serious data losses, Stoddart said.

However, the federal legislation restricts the Canadian privacy commissioner’s office to persuasion, encouragement and — at most — the possibility of publishing the names of transgressors.

“Today’s reality is that life online, new data-mining technologies, demands from law enforcement authorities for digital evidence, a host of new cyber-threats, and contemporary cloud-based business models all call for dramatically reformed approaches to the protection of personal information,” the report said.

The commissioner says she has no power to enforce her recommendations, short of a time-consuming court battle.

The legislation is supposed to be reviewed every five years. It has now been more than six years since a Commons committee issued its report on the law.

A federal bill that would make some changes was introduced in May 2010 but died on the order paper. The bill was revived but has been stalled in Parliament for well over a year.

In her report, Stoddart focuses on cases of concern from the last year that involved:

— the difficulties endured by a teenager after someone impersonated her with a phoney Facebook account;

— profiles of people on a dating website for individuals with sexually transmitted diseases turning up on other dating sites;

— a computer rental company’s use of spyware to help recover missing laptops, resulting in collection of sensitive personal information.