Ottawa-based privacy advocates are calling on the Privacy Commissioner of Canada’s office to release the names of popular Web sites that leaked personal information to third parties, following the commissioner’s announcement made yesterday.
Jennifer Stoddart revealed that her office had finished an investigation into 25 Web sites visited by many Canadians over the summer. It was discovered that six of these sites had significant privacy problems and that another five may have unsafe practices. Today, Stoddart told ITBusiness.ca these sites are violating the Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada’s private-sector privacy law.
“If you’re leaking personal information without knowledge or consent and its through carelessness or ignorance of the law or it is deliberate… that is a contravention of PIPEDA,” she said. But the commissioner is sticking to her guns when it comes to keeping the names of the offenders off the record.
“I have to balance the public interest and the interest of the business,” she says. “We don’t even have any explanations about why this is done – deliberately or inadvertently.”
But some experts dealing with consumer privacy and the Internet have a different opinion. The commissioner should have named names, according to Michael Geist, the Canada Research Chair on Internet and e-commerce law.
“It is unfair to stir public concern about current privacy practices and not rovide Canadians with the information they need to better protect their own privacy,” he says.
John Lawford, counsel with the Public Interest Advocacy Centre, agrees. The sites should be named, as it’s one of the only powers the commissioner has to reprimand offenders.
“It’s a little unfair to Canadians to say there’s a problem but not to offer a plan to address it or what is the source of the problem,” he says. “It’s like saying that there is a disease you can get going about your business in  major stores, but not saying which ones.”
When asked if it is possible the Web sites are still leaking personal information currently, Stoddart replied “I don’t know.” She added that many businesses were surprised to learn of the problem.
The firms found to have privacy concerns on their Web sites now have three weeks to respond to a letter that Stoddart sent, with plans on how to fix the issue. If they don’t, or the response isn’t satisfactory, Stoddart says she may choose to name them. Also, other Web sites should consider this a warning.
“We will go on, given our findings, and from time to time check up on very popular Canadian Web sites,” she says. “Another time, I may choose to name them from the outset.”
One Toronto-based lawyer is more understanding of Stoddart’s decision to withhold the names. With no Web sites named, all major Web sites will feel the pressure to double-check their practices, says David Allsebrook, an intellectual property lawyer at Ludlow Law.
“If the list is published a company not on the list that is leaking will think it has no problems and keep doing it. If the eleven are named the impact of the study is greatly reduced,” he says.
At the end of one week after having sent her letters to the offending firms, some replies have already been received, Stoddart says. With just 25 Web sites investigated, it’s hard to know how common data leaks across other sites.