Submission to the OPC’s Consultation on Consent under PIPEDA (BC FIPA)

BC Freedom of Information and Privacy Association

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

FIPA would like to acknowledge the Law Foundation of British Columbia. Their ongoing support of our work in the areas of law reform, research and education makes submissions like this possible.

Introduction

FIPA is a non-partisan, non-profit society that was established in 1991 to promote and defend freedom of information and privacy rights in Canada. Our goal is to empower citizens by increasing their access to information and their control over their own personal information. We serve a wide variety of individuals and organizations through programs of public education, public assistance, research, and law reform.

We thank the Office of the Privacy Commissioner of Canada for this opportunity to discuss issues relating to consent, and hope these comments may be of assistance.

We have read and understood the consultation procedures in the Notice of Consultation and Call for Essays, and we hope you will find this submission helpful.

Submission

Our submission will be relatively brief, and will concentrate on the findings from our 2015 study for the Contributions Program entitled The Connected Car: Who is in the Driver’s Seat?

In that study we pointed out a number of the failings of the consent model in the context of Connected Cars.

One of the major failings is the number of complicated privacy policies that a purchaser of a Connected Car is supposed to have read, understood and consented to. Some of these include:

• A purchase contract with the dealer which may include certain collection, retention, use and disclosure of her personal data by the dealer.
• Terms and conditions (including a privacy policy) of the automaker, or the automaker may simply impose its privacy policy, along with other terms and conditions, on the new vehicle owners by virtue of their use of the vehicle.
•  A Connected Car with infotainment services (e.g., OnStar, SyNC or Uconnect), require registration with the automaker (or its agent) for those services, which will require agreeing to a detailed set of terms and conditions which incorporate a special privacy policy setting out how personal data will be collected, used and disclosed by the automaker and/or its agents in the course of providing the Connected Car services.
• The automaker may have a third privacy policy for optional additional services such as remote control options involving the use of the customer’s smartphone, a special key fob or other remote device, which may require referring to the privacy policy of a mobile network provider.
•  If the connected services operate over the customer’s existing mobile plan instead, the customer will be referred to the privacy policy of her own mobile network provider. Assuming that the connected services involve the use of the customer’s smartphone, the purchaser will be expected to be aware of and have agreed to the privacy policies of her smartphone device system provider.

In addition, if financing of insurance are required and arranged through the dealer, there could be two additional privacy policies to have read and understood,

Clearly, consent provided in these circumstances cannot realistically be considered to be informed.

Automakers assume consent by customers to the collection, use and disclosure of vast amounts of often sensitive personal data, for a wide range of purposes. Many of these are not essential to provision of the services in question. Customers are generally not permitted to opt-out of listed uses or disclosures of their personal data even where such uses or disclosures are not essential to provision of the service, and the policies (when a customer can find them) do not provide sufficient detail for customers to understand the uses to which their personal data may be put.”^{Footnote 1}

“There are too many players in the Connected Car ecosystem. Many of these players have their own terms of service and privacy policies that consumers are expected to read, understand and agree to (or else seek an alternative with a more acceptable policy). Meaningful consent in this context is virtually impossible. Even if OEMs competed on privacy and provided more privacy options in their terms of service, average consumers simply do not have the time, never mind the expertise, to review and take into account so many different terms of service and privacy policies.”^{Footnote 2}

As a result, we provided this general recommendation:

Rather than relying on the fiction of choice and consent, what is needed in this industry are clear, specific and relevant limits on collection, retention, use and disclosure of personal customer data. We need industry-specific data protection regulations for the Connected Car industry.^{Footnote 3}

The specific recommendations related to consent were as follows:^{Footnote 4}

• Where OEMs are relying on customer consent, notice of the practice in question must be brought to the attention of the customer, as well as clearly worded and comprehensively explained so that the customer can understand exactly what they are agreeing to. Affirmative consent is always preferable to opt-out consent. Personal data of customers should not be collected without the customer’s awareness except as demonstrably needed to provide the service, or as expressly consented to by the individual.
• Consent should not be assumed merely by virtue of use of the service other than for obvious purposes that a reasonable person would understand and agree to.
• Consent to use or disclosure of one’s personal data for secondary purposes such as marketing, product improvement or research and development should never be assumed. It should always be explicit and affirmative.
• Connected Car services should not be denied to customers who refuse to agree to let their personal data be collected, used or disclosed for unnecessary purposes.

Conclusion

The BC Freedom of Information and Privacy Association thanks the Office of the Privacy Commissioner of Canada for this opportunity to provide our views on this important issue.

We urge great caution in doing anything that would have a result in diminution of the importance of consent, but rather there should be greater emphasis on not just requiring consent but in having systems in place that will allow individuals to tailor consent to their particular needs and requirements in relation to the collection, use or disclosure of their personal information.

If you require any additional information or clarification, please do not hesitate to contact us.