Notes from the IAPP Canada: OPC reaches into its toolkit

When the Personal Information Protection and Electronic Documents Act was just coming into force in the early 2000s, there was a bit of turmoil at the Office of the Privacy Commissioner of Canada. The commissioner at the time was forced to resign amid allegations of misconduct and was even criminally charged with fraud.

He was eventually found not guilty of any criminal wrongdoing, but it sure made for some interesting news. I don't remember if the IAPP had the Daily Dashboard back then, but the story would have definitely been front page material. It took a while for the OPC to get back on track. There was an excellent interim commissioner that fixed quite a few organizational issues, and then Jennifer Stoddart, who came from the Quebec regulator's office, was appointed to lead the organization.

To be sure, there was still a lot of "office fixing" that needed to take place when Stoddart's mandate started. But she was intent on fulfilling the mandate of the office — to enforce our privacy legislation. After a bit of time at the helm, Stoddart became increasingly frustrated with organizations that were not meeting all their obligations but would also refuse to respond to Report of Findings that contained recommendations on how to bring themselves into compliance.

Organizations back in the early 2000's didn't prioritize data protection and because the law only allowed the OPC to make recommendations, many organizations took a pretty relaxed approach to compliance.

Stoddart and her general counsel at the time — Patricia Kosseim, who is now Ontario's Information and Privacy Commissioner — examined their legislative toolkit and decided PIPEDA's provisions that allowed the commissioner to initiate court applications after an investigation could be used to obtain court orders requiring organizations to comply.

That's where I come in. I was a litigator back then who decided that privacy and data ethics was where I wanted to be, and I didn't particularly like litigating anything except privacy issues. So, I went to work at the OPC and developed a litigation strategy to take every organization that did not implement the OPC's recommendations to court.

Perhaps it is not shocking that I never once appeared before the court and those robes gathered a ton of dust. This is because I'd write to the organization that was found to be in default, attach my Notice of Application to the court, along with the press release that would ensue, and give them a few days to respond. In every single instance, they did respond and always agreed to implement the recommendations.

Fast forward a few years and I'm in private practice, sometimes representing organizations being investigated by the OPC. And while the OPC can't heavily penalize unlawful behavior, that doesn't mean organizations get an easy, painless experience if they're found not in compliance. So, I've always had that perspective in mind.

With the death of privacy reform in Canada, for at least the foreseeable future, it's likely going to be quite a while before a regulator, tribunal or court will be able to fine organizations for noncompliance.

That's why this week's news of the OPC taking a noncompliant organization to court is very interesting to me and, hopefully, others as well. If you didn't see it already, the court application now being used to achieve compliance is to obtain a court order requiring the owner of Pornhub to more fully implement all the OPC's recommendations that were revealed to the public almost a year ago.

So, while the OPC is working with a law that doesn't allow it to directly penalize wrongdoing, it's notable the office seems to be prepared, at least in some circumstances, to use the tools in its toolkit to try to enforce the law the way it sees it.

I don't know if this case will ever get to a hearing or a decision, but I will be following it closely.

Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.