OTTAWA — Industry Minister Tony Clement said Friday he's open to the idea proposed by Canada's privacy watchdog to give her the power to slap corporations with huge fines if they don't protect the personal information of their customers.

"I have not closed the door to it, but there would have to be additional consultations on that issue," Clement told Postmedia News.

Earlier this week, Privacy Commissioner Jennifer Stoddart said the federal government should update the country's private-sector privacy law to include fines, given the "alarming trend toward ever-bigger" data breaches.

"It seems to me that it's time to begin imposing fines — significant, attention-getting fines — on companies when poor privacy and security practices lead to breaches," Stoddart told a privacy forum.

Under Canada's privacy law governing the private sector, Stoddart has no power to impose any fines and companies are not required to report breaches to her office.

The Conservative government's most recent proposal to update the law — which died when the federal election was called — did not include any powers to impose fines. But the proposal stated a company would have to report a "material" data breach to the privacy commissioner if the company concluded that the breach indicated a systemic problem.

Other factors to consider when determining if the mandatory-reporting rule kicked in included the sensitivity of the information and the number of customers affected.

The amendments were tabled in May 2010 following a mandatory statutory review of the law carried out in 2008.

Stoddart said much has changed since those consultations about the Personal Information Protection and Electronic Documents Act (PIPEDA), so she's asking Industry Canada to consider fresh amendments to empower her to impose fines for massive data breaches.

"What has happened in Canada was, because of the difficulty in getting legislation through the minority Parliament, that its passing had been delayed by several years. And as time went on, this particular proposal was increasingly out of sync with the trend and out of sync with the continuing occurrence of major data breaches," Stoddart said earlier this week. "They just seem to be getting bigger and bigger."

Clement acknowledged Friday that a lot of time has passed, saying "I think it does behoove us to do those consultations again."

He added that the issue is a priority under the government's digital-economy strategy.

"My thinking is that this bill — in whatever form it takes — is critical to my overarching vision on the digital-economy strategy, because you've got to have the right safeguards in place if people are going to feel comfortable participating in the online environment. So this is not just an add-on or an afterthought," said Clement. "This is a pretty critical component of the broader digital-economy strategy."

This is welcome news for John Lawford, a staff lawyer for the Public Interest Advocacy Centre who participated in the earlier review of the private-sector privacy law.

He supports Stoddart's push for powers to slap fines on companies in cases of big data breaches, but Lawford said there's an even bigger problem with last year's proposed amendments.

"You've got to fix the first part," Lawford said, of the discretionary given to companies to decide whether a breach meets the test for mandatory reporting.

And until this loophole in the reporting rules is closed, Lawford said, "you've got nothing to fine and no one to fine."

sschmidt@postmedia.com

Twitter.com/sarah_schmidt_