With new Canadian data breach regulations going into effect, the mounting reports of massive data breaches and the EU’s General Data Protection Regulation, a law firm can use an experienced data privacy attorney. That’s what Fasken got when Jennifer Stoddart joined the firm as a strategic adviser, bringing along her 10 years of experience as Canada’s privacy commissioner.
But Stoddart isn’t just known for her work as a privacy commissioner. In between Fasken and the commissioner role, she served on various boards and worked pro bono in the health industry. Stoddart also was involved in the Asia-Pacific Economic Cooperation, an organization that aims to develop ways to protect personal information involved in Asia-Pacific region trades.
For Stoddart, joining Fasken Martineau DuMoulin felt like a natural fit. She noted that she’d known of Fasken and its lawyers for 30 years through its representation of various clients during her work in the public sector.
Before joining private practice, Stoddart’s privacy commissioner role entailed overseeing a staff of 150 people. She was also tasked with inspecting complaints and audits, advising on privacy compliance and creating lines of communication with leaders nationally and internationally regarding data privacy.
Stoddart served in that role from 2003 to 2013, during which Canada’s national data privacy law, the Personal Information Protection and Electronic Documents Act, went into effect. The office faced a “very deep learning curve” in dealing with the law that regulates the collection, use and disclosure of citizen’s personal information, Stoddart recalled.
“Generally, it was a time when the office managed to raise the profile of data privacy for Canada worldwide,” she said of her tenure. Stoddart explained that 10 to 15 years ago, there wasn’t much thought given to data collection or the serious mishaps with personal data that could arise.
She said she spent many years explaining the individual harm exploited data could bring, and said the effects of those talks can be seen today by the different approaches taken toward data protection by judges in Canada. “The harm to individuals is a topic that I spent a lot of time and energy illustrating,” Stoddart said.
After 10 years steering privacy data in Canada, Stoddart cited technology and hacking advancements, the monetization of data and the emergence of big data and artificial intelligence as some of the data collection differences since her tenure ended in 2013.
She noted Canada is now taking “sweeping actions” and rewarding damages if a company is using data for commercial gain but not following Canadian regulations. She cautioned American companies to note Canadian officials’ actions because they “have to be much more careful how [they] handle data in Canada.”
Indeed, Canada recently implemented a new data security requirement that Stoddart said is “certainly a challenge for many Canadian organizations. While some are well prepared, this regulation demands among other things, recording of every significant data breach.”
She further explained that complying organizations will have to set up a record-keeping system, prepare a breach evaluation and notify their customers if the breach is likely to cause significant harm. Many organizations aren’t used to that requirement, she noted.
In fact, Canada’s current privacy minister, Daniel Therrien, publicly questioned how enforceable the regulation can be when he doesn’t have the authority to dole out fines.
But Stoddart said there are ways the privacy minister can enforce the regulation. She noted he can refer offenses to the attorney general of Canada, who can pursue charges, or publicly reveal the name of the companies that aren’t following the regulation, which “would not be good for the bottom line of the company.”