Canada's privacy commissioner is concerned about some social media companies ignoring privacy laws, and said today that Parliament should impose stronger sanctions when they are broken.

Jennifer Stoddart told the House of Commons access to information, privacy, and ethics committee that social media companies amass a "staggering" amount of personal information from Canadians, and that while strides have been made to protect those details, she still has significant concerns about how they are handled.

"This is the age of big data where personal information is the currency that Canadians and others around the world freely give away," she said.

"I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws," said Stoddart.

Her office has been keeping a close eye on social media companies for several years and she hasn't shied away from taking on heavyweights such as Facebook and Google over their privacy policies.

She said Tuesday that her office has almost continuously been investigating Facebook since 2009, and initial investigations revealed the social media giant wasn't following Canada's privacy law, but compliance has increased more recently.

"The problem with social media companies is generally their lack of transparency with regulatory authorities," she said.

Personal information act due for review

Other countries are moving towards more robust enforcement regimes, but Stoddart said Canada is at risk of falling behind and that the existing law – the personal information protection and electronic documents act (PIPEDA) – is too weak.

PIPEDA is due for a mandatory five-year review by Parliament, and the privacy watchdog said she hopes that MPs will push for greater enforcement powers and greater accountability standards for companies within the legislation.

The legislation currently doesn't require companies to report a privacy breach to Stoddart's office or to consumers, and Stoddart said with barely any penalties for breaching provisions in PIPEDA, there is little incentive for companies to invest in better data protection systems.

If there were stricter penalties for companies that would affect their bottom lines, they would be more inclined to adhere to the privacy laws, she suggested.

"I believe companies take notice … when they are subject to major fines or some kind of enforcement action. We have very limited power in that regard, and I believe more respect would be shown to Canada's laws if we did have that power," she said. 

Parliament does have a bill before it that aims to reform PIPEDA, Bill C-12, but there's been no movement on it since it was introduced last fall and Stoddart said the measures in it don't go far enough and that it could be made stronger.

An official from Industry Canada who testified after Stoddart told the committee that C-12 will "create a powerful tool to protect and empower consumers online."

It would, for example, make data breach notifications mandatory, as opposed to the voluntary guidelines that Stoddart's office asks companies to follow.

Janet Goulding said the bill also enhances consent provisions designed to protect children online by requiring companies to explain in age-appropriate language why information is being collected.

"We believe these changes are an important step towards ensuring that our privacy legislation continues to protect Canadians," she said.

Stoddart suggested specific areas of concern that the committee could focus on as it proceeds with its study of privacy and social media, including accountability and how privacy policies are written by companies. Too often companies only address privacy concerns after there has been a security breach, or a backlash from consumers, and their privacy policies are so long and convoluted that they are often ignored by users, she said.

How long companies hold on to personal information and how they go about de-activating and deleting accounts are also ongoing areas of concern, the privacy commissioner said.