Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
As part of my ongoing commitment to spotlight notable Canadian leaders who have shaped privacy, data protection, cybersecurity and artificial intelligence, I'm sharing a series of short profiles in the IAPP Canada Dashboard Digest. The first honored the late Ian Kerr, whose legacy continues to guide our field. Today, I turn to another trailblazer: Jennifer Stoddart.
In the evolving story of privacy in Canada, few public servants shaped the field's early direction as decisively as Stoddart. Appointed privacy commissioner of Canada in December 2003 and reappointed in 2010, she steered the office through a formative decade when the boundaries of the Personal Information Protection and Electronic Documents Act were first being tested — at home, online and across borders.
Before Ottawa, Stoddart's path ran through Québec's institutions of rights and transparency. From 2000 to 2003, she served as president of Québec's data protection authority, the Commission d’accès à l’information du Québec, after senior roles at the Québec and Canadian human rights commissions — experience that made her unusually fluent in how law and administration meet the lived realities of citizens. That track record made her the right person for a delicate moment.
Stoddart took the helm following the scandal and resignation of former commissioner George Radwanski, whose saga culminated in a House of Commons finding of contempt based on misleading committee testimony. In short: public confidence in the Office of the Privacy Commissioner needed rebuilding and the mandate needed refocusing. Stoddart got to work.
Those early years demanded a lot of internal focus as well as principled line‑drawing. One of the first crucibles was the Federal Court's decision in Eastmond v. Canadian Pacific Railway, the first case to address workplace video surveillance. This legal proceeding helped crystalize the OPC's now familiar four‑part reasonableness test: necessity, effectiveness, proportionality and least invasive solution. The court endorsed the framework but, on the facts, reached a different outcome than the OPC, an early lesson that the test was robust precisely because it could be applied rigorously on the merits.
At the same time, globalization was putting PIPEDA's reach under pressure. The Society for Worldwide Interbank Financial Telecommunication investigation from 2006 to 2007 brought the jurisdiction question to a head: Could Canada's privacy law apply when data moved through a cooperative headquartered in Belgium, processed in the United States and used by Canadian banks?
Stoddart's office concluded yes — there was a real and substantial connection to Canada — while also finding that SWIFT did not contravene PIPEDA when complying with lawful foreign subpoenas. The message was twofold: multinationals connected to Canada are accountable under our law and cross‑border access should be channeled through mechanisms with transparency and privacy safeguards.
Then came social media. In 2009, the OPC issued its landmark Report of Findings into Facebook, addressing default settings, third‑party apps, account deactivation and deletion and the contours of meaningful consent. It was an early, world‑watching moment for platform accountability that foreshadowed a decade of global enforcement and policy debates. The analysis set expectations for notices, app permissions and data minimization long before these became common regulatory touchstones. Suffice it to say, it was a huge deal.
But Stoddart's imprint was not only her portfolio of cases. It was the way she led: a diplomat's tact, a steady public voice and a management style that gave talented people room to do their best work. Those of us who worked with her — or alongside her office — remember the balance she struck between principled firmness and practical problem‑solving. She was simply a terrific leader.
She has always been charming and stylish in that uniquely Québécoise way. I'm also pretty sure she's been the most enthusiastic commissioner to embrace and fully lean into my crazy gameshow idea, whether it involved donning a hockey jersey or being paired with a fake "husband," the Royal Bank of Canada Financial Group's Jeff Green, for a version of the Newlywed Game — proof that even Canada's top privacy official could see the value in having a bit of fun with the privacy community.
Stoddart has also invested in the profession itself. Following her time as commissioner, she has given back to the privacy community by serving on the IAPP board of directors, another signal of her commitment to building a global, practitioner‑led ecosystem that could meet the moment.
Looking back, it's striking how many of today's "new" questions were first framed on her watch: when surveillance is justified; how consent can be meaningful in complex ecosystems; and how Canadian jurisdiction works when data flows barely touch our soil. The answers continue to evolve with technology and law, but the architecture of the debate — that clear, principled scaffolding — owes a great deal to Stoddart and those she surrounded herself with.
If you have memories of working with her, reactions to these highlights or ideas for other Canadian leaders to feature, I'd love to hear them.
Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
