Submission to the OPC’s Consultation on Consent under PIPEDA (IAB Canada)

Interactive Advertising Bureau of Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

There is an increasingly active discourse and growing recognition in the Canadian privacy arena of the legal and practical challenges posed by a statutory consent requirement in the evolving data environment (as well articulated in the OPC’s Consent and Privacy Discussion Paper). Despite these challenges, PIPEDA’s framework continues to work as an elegant and effective model for organizations to respectfully treat personal information in the course of developing and offering highly innovative and valuable services, products, and features.

The lasting success of PIPEDA in this regard—and the reason why PIPEDA can continue to help foster innovation—is largely grounded within the following key features of its statutory framework: (i) PIPEDA balances the interests of individuals and organizations; (ii) PIPEDA’s rules are drafted in principles-based, technologically neutral fashion; and (iii) PIPEDA’s accountability model.

PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment. In many technological contexts (including for “Big Data” processing), the consent principles can continue to serve as an authority for the processing of personal information by using a flexible, pragmatic, and common sense approach to the application of the Act.

The Discussion Paper sets out a number of possible solutions to the challenges that the data environment poses for PIPEDA’s consent requirement. Most of these can be accommodated and operationalized under PIPEDA’s current legislative framework (with no statutory amendment), but ideally with the assistance of guidance issued by your Office and provincial privacy regulatory authorities.

Certain of the challenges considered in the Discussion Paper can also be addressed by surgically amending PIPEDA to expand the circumstances in which organizations would have the authority under the Act to collect, use, or disclose personal information without consent, including in particular the addition of an exception to consent for “legitimate interests” (as discussed in the Discussion Paper). With careful drafting, and informed stakeholder input, exceptions to consent for the processing of personal information can be crafted in a manner fully consistent with the spirit and intent of the Act.

A summary of our comments on various other solutions set out in the Discussion Paper includes the following:

There is no need to establish “no go zones” or “proceed with caution zones” for certain types of personal information processing, as PIPEDA’s existing holistic framework serves to protect privacy interests in all circumstances where such a zone may be contemplated.
The processing of de-identified data is now commonly used as a means for organizations to leverage the potential of their data holdings for innovation in a manner that safeguards and otherwise respects the privacy interests of individuals. De-identification of personal information can serve to materially limit (if not virtually eliminate) the risk and impact to an individual. There is no need under PIPEDA (or otherwise) to impose an additional requirement for consent for the collection, use, and disclosure of de-identified data, and a consent requirement for the processing of non-identifiable data would have unnecessary, and potentially severe, adverse consequences for innovation.
An assessment process that considers the ethical impact of data processing activities can serve to enhance an organization’s privacy management program and compliance with its accountability obligations under PIPEDA, including by providing a framework for establishing that the purpose and nature of a personal information processing activity is reasonable, legitimate, and appropriate.
PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the Act. By actively using these enforcement powers, the OPC has been successful in carrying out its statutory mandate under PIPEDA and is now highly respected across the global privacy arena. The OPC does not require additional powers to oversee compliance or enforce any of the proposed solutions set out in the Discussion Paper.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

The lnteractive Advertising Bureau of Canada (“IAB Canada”) welcomes the opportunity to respond to the call for submissions to your Office regarding the viability of the consent model under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

IAB Canada fully supports the efforts of your Office to consider how PIPEDA’s consent (and other) requirements can be improved to enable organizations to provide innovative forms of value in the emerging data environment while, at the same time, respecting the privacy interests of individuals.

We believe that an informed, structured multi-stakeholder dialogue is critically important to practically address the challenges raised by your Office in Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act^{Footnote 1} (the “Discussion Paper”), and we welcome—and look forward to actively participating in—the consultation process initiated by your Office.

This submission consists of the following:

Background information about IAB Canada;
A comment on how PIPEDA’s current framework is well-suited for innovation in the evolving data environment;
A comment on the viability of PIPEDA’s current consent requirement; and
Comments on various potential solutions set out in the Discussion Paper.

1. IAB Canada - Background

IAB Canada is a not-for-profit association exclusively dedicated to the development and promotion of the rapidly growing digital marketing and advertising sector in Canada.

IAB Canada represents over 250 of Canada's most well-known and respected stakeholders in the digital advertising and marketing sector, including advertisers, agencies, media companies, digital publishers, social media platforms, ad networks, data companies, mobile and video game marketers and developers, measurement companies, service providers, educational institutions, and government associations operating within the space. Our members include numerous small and medium sized enterprises.

Companies in the digital advertising and marketing sector offer a wide range of highly innovative products and services, including valuable service offerings to individual Canadians. This sector is intensely competitive, and the long-term success of our members is fundamentally predicated on their ability to continually design, develop, offer, and improve valuable digital products and services.

Our members are “data companies”. The products and services offered by our members inherently require the processing of data, and often this data includes personal information. Our members recognize that their long-term success as commercial enterprises requires the respectful treatment of personal information in their custody and control, which includes complying with PIPEDA and other applicable privacy legislation. It is for this reason that we are welcoming the OPC’s consultation effort to consider how PIPEDA can be improved in a manner that addresses the interests of stakeholders across the innovative Canadian data arena, including the individuals who benefit from our members’ digital product and service offerings, as well as the companies involved in the development and provision of such products and services.

2. PIPEDA’s Framework is Well-Suited for Innovation

While it is clear (as well articulated in the Discussion Paper) that there are certain challenges in applying PIPEDA’s consent (and other fair information practice) principles in the emerging data environment, it is equally clear that overall PIPEDA’s framework has worked—and continues to work—as an elegant and effective model for organizations to respectfully treat personal information in the course of developing and offering highly innovative and valuable services, products, and features.

In our view, the lasting success of PIPEDA in this regard—and the reason why PIPEDA can continue to help foster innovation—is largely grounded within the following key features of its statutory framework:

(i) PIPEDA balances the interests of individuals and organizations;

(ii) PIPEDA’s rules are drafted in principles-based, technologically neutral fashion; and

(iii) PIPEDA’s accountability model.

A brief description of each of these features of PIPEDA is set out below.

(i) Balancing of Interests

Canadians benefit from the value offered by the vast array of innovative service and product offerings, and the increasingly tailored and personalized nature of such offerings. This is particularly the case in the online and mobile space, where the availability of an explosive volume of products, services, and features has been fueled by stunning innovation and the economic model of the digital advertising and marketing ecosystem.

In the course of the design, development, offering, and marketing and advertising of these products and services, organizations often need to collect, use, analyze, and share certain personal information. Simply put, the processing of personal information has become an inherent part of innovation and the exchange of value. At the same time, to maintain and enhance the trust of individuals in today’s data environment, it is important for organizations to be respectful of the personal information in their custody and control.

PIPEDA’s statutory framework expressly recognizes the balancing of interests that is required for innovation in today’s digital economy. The statute sets out rules for organizations to protect the privacy of individuals, but it does so with an express recognition of the increasing need for organizations to process personal information in a rapidly evolving data environment. This balance is struck in the Purpose section of PIPEDA, which provides:

Purpose

The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

While PIPEDA came into force in 2001, the balance of interests within PIPEDA’s Purpose section continues to be wholly relevant today, and provides a helpful prism through which the Act’s consent and other requirements must be interpreted and applied. As stated by the Federal Court of Appeal,^{Footnote 2}

“There are … two competing interests within the purpose of the PIPED Act: an individual’s right to privacy on the one hand, and the commercial need for access to personal information on the other. However, there is also an express recognition, by the use of the words “reasonable purpose,” “appropriate” and “in the circumstances” (repeated in subsection 5(3)), that the right of privacy is not absolute.”

. . .

“All of this to say that, even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. . . [F]lexibility, common sense and pragmatism will best guide the Court.”

(ii) Principles Based Framework

One of the main reasons PIPEDA remains effective today is because it was drafted in a technologically neutral and sectoral-agnostic fashion.

PIPEDA's consent and other rules are mainly set out in plain language as broad principles, and therefore can be applied to any new technology, new application, or new ecosystem that involves the processing of personal information, including the digital advertising and marketing ecosystem.

It is precisely because PIPEDA does not focus on any particular type of technology or sector that it is so well-suited to address the seemingly novel privacy considerations that may be raised by new technological developments.

It is important that PIPEDA remains drafted in a technologically neutral manner, and without regard to industry sector or particular activity, or type of data element. Given the increasingly rapid pace of technological innovation, any statutory requirement that is drafted to focus on a certain data element, technology, process, or ecosystem risks being obsolete, out-of-date, soon after it comes into force.

(iii) Accountability Framework

PIPEDA is often referred to as a “consent-based” statute, and (as stated in the Discussion Paper) the consent requirement is broadly considered to be the “cornerstone” of the Act.

In practice, however, the most powerful feature of PIPEDA is its accountability model. Under PIPEDA’s accountability principle, organizations are responsible for personal information in their custody and control,^{Footnote 3} and organizations must implement policies and procedures designed to ensure compliance with the Act’s rules that govern the entire life cycle of the organization’s personal information processing.^{Footnote 4}

Compliance with PIPEDA’s accountability principle and, more broadly, the respectful treatment of personal information requires organizations to implement privacy management programs that address the full life cycle of their personal information processing. As stated by your Office, privacy management programs help “promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organizations.”^{Footnote 5}

PIPEDA’s accountability model is elegant and effective. The accountability principle holds organizations responsible for their personal information practices, and does so in a non-prescriptive manner that affords organizations the flexibility to tailor, adapt, and refine their privacy programs in a practical manner that is suitable to the industry sector, size of the organization, the nature of a given organization’s personal information practices, and an organization’s evolving commercial needs. Moreover, to bolster their efforts to comply with the accountability principle, organizations can choose to participate in self-regulatory regimes (such as the Digital Advertising Alliance of Canada’s self-regulatory program for online behavioural advertising, as discussed in more detail below), agree to adhere to codes of conduct, and/or align or supplement their privacy programs with industry standards or evolving approaches to the assessment of data practices (such as ethical assessments, as discussed below).

For the purposes of this consultation, it is important to frame PIPEDA’s consent requirement as being just one part of an organization’s broader obligations under the Act’s accountability principle. Under PIPEDA, an organization may not collect, use, or disclose personal information in the course of its commercial activities unless it has the authority under the Act to do so. The authority to collect, use, or disclose personal information may be obtained via consent,^{Footnote 6} or a prescribed exception to consent.^{Footnote 7} Practically, the substantive focus of privacy management programs (and an organization’s focus on the respectful treatment of data) relates mostly to an organization’s personal information practices after authority for personal information processing (whether consent or otherwise) has been obtained.^{Footnote 8}

Viewed through this practical lens, and especially given the array of challenges to consent (as articulated in the Discussion Paper), it may be more accurate – and more helpful in the long-term—to consider the concept of “accountability” (not consent), as being the “cornerstone” of the Act.

3. The Viability of PIPEDA’s Consent Requirement

There is an increasingly active discourse and growing recognition in the global privacy arena of the legal and practical challenges posed by a statutory consent requirement in the evolving data environment. These challenges are well articulated in the Discussion Paper. However, despite these challenges, it is important to highlight that in many contexts, PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment.

As noted above, the core elements of PIPEDA’s consent requirement—as contained in Principle 4.3 of Schedule 1 to PIPEDA and the new Section 6.1 of the Act—are set out in a principle based, technologically neutral fashion. In many technological contexts, the consent principles, in their current form, can continue to serve as an authority for the processing of personal information by using a flexible, pragmatic, and common sense approach.^{Footnote 9}

Viability of Implied Consent for Online Behavioural Advertising

A prime example of the viability of PIPEDA’s current consent requirement within a complex data ecosystem is in the context of the collection and use of personal information for the purposes of online behavioural advertising. Your Office has published Guidelines on Privacy and Online Behavioural Advertising^{Footnote 10} (“OBA Guidance”) which provides that (among other things) organizations would be permitted under PIPEDA to process personal information for online behavioural advertising purposes with the implied consent of individuals, provided certain conditions are satisfied.^{Footnote 11} The OBA Guidance draws upon and incorporates earlier guidance issued by the OPC, in which your Office sets out the conditions for a valid implied (opt-out) consent under PIPEDA.^{Footnote 12}

Based in large part on the OBA Guidance, the Digital Advertising Alliance of Canada, a not-for-profit organization and consortium comprised of IAB Canada and 7 other leading national advertising and marketing trade associations, developed and launched AdChoices, the Canadian Self-Regulatory Program for Online Behavioural Advertising. The AdChoices program is designed to provide consumers with transparency and control over interest-based ads, and is used by participating organizations in Canada to help them comply with PIPEDA’s consent and other requirements.

The AdChoices program requires participating organizations to adhere to the Canadian Self-Regulatory Principles of Online Behavioural Advertising, which were drafted expressly to align with PIPEDA’s consent, notice, and accountability principles, and the OBA Guidance. Dozens of key players in the online advertising ecoysystem^{Footnote 13} have signed up for the DAAC’s AdChoices program, all with a view of helping enhance their respective compliance with PIPEDA and, overall, to enhance the trust of all stakeholders in the Canadian digital advertising arena.

Viability of Consent for Big Data Processing: Principle 4.3.3

PIPEDA’s consent requirements also establish a helpful framework for the processing of personal information that may be involved in the data analytics or “Big Data” context.

The concept of data analytics is not new. Data analysis is an inherent part of research and development. But the concept of Big Data processing typically refers to new analytical methods applied to large, unstructured data sets, and is a critical part of many companies’ innovation processes, including in the digital advertising and marketing sector. The insights derived from “Big Data” analytics now being conducted by companies are leading to a profound and unprecedented level of benefits and improvements in process efficiency and convenience, and an array of new product and service offerings and features.

PIPEDA’s consent provisions helpfully contemplate circumstances where organizations must process personal information in connection with providing a product or service offering, such as the case where data analytics is being conducted for research and development or required as part of the product and service offering.

Principle 4.3.3 of PIPEDA’s consent principle provides as follows:

An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.

This consent provision embodies PIPEDA’s balancing of interests by expressly recognizing that certain types of personal information processing—such as the case with data analytics—may be inherently required for the provision of a product or service, while at the same time ensuring that privacy interests of individuals are respected with the inclusion of specific conditions that must be satisfied.

Specifically, under Principle 4.3.3, organizations can require an individual to consent—within the terms and conditions for the provision of the product or service—to the certain types of data processing (such as data analytics) provided that (i) the organization complies with the transparency and data minimization requirements contained within the provision (both of which requirements are consistent with other PIPEDA requirements^{Footnote 14}), and (ii) the collection, use and disclosure in question is done for “legitimate purposes”.

Notably, the phrase “legitimate purposes” is not defined in the statute, though presumably it is informed by Section 5(3) of PIPEDA, which provides that organizations may only collect, use and disclose personal information for a purpose that a reasonable person would consider appropriate, and by the balancing of interests within Section 3 of PIPEDA. Without question, as a general proposition, a reasonable person would consider it to be an entirely appropriate and legitimate purpose for companies to engage in data analytics. And organizations could bolster their ability to maintain that particular types of Big Data processing of personal information are “reasonable”, “legitimate,” and “appropriate” (and their ability to rely on Principle 4.3.3.) by conducting such activities within their privacy management programs, including conducting appropriate assessments of the particular data practices involved.

4. Comments on various potential solutions set out in the Discussion Paper

Solutions within Current Legislative Model

The Discussion Paper sets out a number of possible solutions to the challenges that the data environment poses for PIPEDA’s consent requirement. As discussed above, we are of the view that PIPEDA’s current consent requirement is—and can continue to be—a legally viable and practical means of authority under PIPEDA for organizations to collect, use, and disclose personal information in today’s data environment.

Notably, no amendments to PIPEDA are required in order to “enhance” consent (or otherwise address challenges) through various solutions proposed in the Discussion Paper, such as the suggested approaches to transparency,^{Footnote 15} consent management,^{Footnote 16} and de-identification of personal information,^{Footnote 17} and the means to enhance privacy governance (i.e. incorporating “privacy by design” principles,^{Footnote 18} adopting or adhering to codes of conduct or self-regulatory programs,^{Footnote 19} and the use of ethical frameworks to help assess the impact of data processing^{Footnote 20}).

All of the above listed solutions can be accommodated and operationalized under PIPEDA’s current legislative framework, ideally with the assistance of guidance issued by your Office and provincial privacy regulatory authorities. By way of example, with respect to transparency, we refer to the guidance documents issued by your Office setting out suggested evolving industry approaches for enhancing the effectiveness of notice under PIPEDA in the online and app contexts.^{Footnote 21} Regulatory guidance is most valuable when it is developed collaboratively and informed with multi-stakeholder input.

Legislative Amendments

While PIPEDA’s framework remains viable, it is critically important to ensure that PIPEDA—in the long-term—is able to address the challenges to the consent model articulated in the Discussion Paper, as these challenges may become more acute with increasingly complex data ecosystems. PIPEDA will impede innovation if companies do not have certainty regarding the legal viability of the authority under PIPEDA to process personal information. And any lack of certainty will erode trust among stakeholders within the broader privacy arena.

Certain of the challenges considered in the Discussion Paper can be addressed by surgically amending PIPEDA to expand the circumstances in which organizations would have the authority under the Act to collect, use, or disclose personal information without consent. This can be achieved in a manner fully consistent with the spirit and intent of the Act. Indeed, the privacy interests of individuals are not adversely impacted when an organization relies upon one of the suite of current exceptions to consent provisions under PIPEDA (or other provincial private sector privacy statutes). The current statutory exceptions to consent consist of a list of circumstances where the process of obtaining consent of an individual is impractical, unnecessary, or otherwise not appropriate. To rely on an exception to consent, organizations still have to comply with the technical parameters of the particular exception to consent provision.^{Footnote 22} Moreover, when an organization collects, uses, or discloses personal information in reliance upon an exception to consent authority, the organization still must comply with PIPEDA’s other requirements that serve to regulate that organization’s personal information processing.^{Footnote 23}

The following is a brief list of amendments to PIPEDA that, if appropriately drafted, could address the range of challenges raised in the Discussion Paper in a manner that balances the interests of all stakeholders:^{Footnote 24}

Exception for Legitimate Interests – IAB Canada agrees with the Discussion Paper statement that broadening the permissible grounds under PIPEDA to include legitimate business interests (subject to a balancing test) is a helpful solution to address the challenges to PIPEDA’s consent model, especially in highly complex ecosystems such as the Internet of Things. Such an exception could be informed by guidance issued by your Office that would address the meaning of scope of the phrase “legitimate business interests”, the key elements of the “balancing test” that would ensure privacy interests are appropriately addressed, and the practical steps for organizations to consider to help ensure their privacy management programs govern the scope of personal information processing in reliance upon the exception. Incorporating ethical assessments (as outlined in the Discussion Paper) into a privacy management program may be one means for an organization to maintain that a given type of personal information falls within the scope of the legitimate interests of the organization, and in a manner that appropriately balances and addresses privacy interests.
Exception for Analytics and Research – Section 7(2)(c) of PIPEDA currently permits organizations in the private sector to use data for statistical, and scholarly study or research, where it is impracticable to obtain consent and the organization informs the OPC.^{Footnote 25} On its face, organizations may be able to rely upon this exception to consent in its current form for authority for certain types of data analytic activities. To provide more legal certainty, it would be helpful to expand this provision to expressly contemplate data analytics processing. Moreover, as a practical benefit to all stakeholders, the current requirement to proactively notify the OPC of the use of personal information in question could be replaced with another mechanism, such as the organization notifying the OPC that it has established a privacy management program consistent with the OPC’s publicly stated expectations, which applies to the type or class of data analytics in question.
Publicly Available Information – PIPEDA contains exceptions to consent for the collection, use, and disclosure of certain prescribed classes of publicly available information.^{Footnote 26} The regulations specifying the classes of publicly available information came into force in 2001, and have remained unamended. The wording in some of the prescribed classes of publicly available information is dated and is becoming less relevant.^{Footnote 27} Through a structured, multi-stakeholder dialogue, these provisions could be appropriately updated and expanded to take into account the realities and reasonable expectations of individuals and the legitimate interests of organizations, with respect to the evolving types of publicly available information within the current data environment.

Additional Comments on Proposed Solutions in Discussion Paper

This section sets out additional comments on various other solutions proposed in the Discussion Paper.

No-Go Zones Not Required

We recommend strongly against any amendment to PIPEDA that would establish “no go zones” (i.e. a complete prohibition on certain types of personal information processing), or any so-called “proceed with caution zones” (i.e. additional substantive or procedural requirements as a pre-condition to certain personal information processing). Statutory amendments to PIPEDA of this nature are not required. PIPEDA’s existing holistic framework serves to protect privacy interests in all circumstances where a “no go” or “proceed with caution” zone may be contemplated. And practically, given the increasingly rapid pace of technological innovation, any statutory requirement that is drafted focusing on a certain data element, technology, process, or ecosystem risks being obsolete, out-of-date, and may have unintended adverse consequences, soon after it comes into force.

De-identification

The Discussion Paper considers the de-identification of personal information as a potential solution to the challenges within the next data environment, and raises the question as to whether consent should be required for the collection, use and disclosure of de-identified data.

The process of de-identifying or obfuscating data is widely used by organizations to help safeguard the personal information in their custody and control. PIPEDA does not require an organization to obtain consent in order to implement these, or other safeguarding or risk mitigating measures. Moreover, once personal information is de-identified, it may practically be non-identifiable, thus rendering the data outside the scope of PIPEDA (including PIPEDA’s consent requirements).

The processing of de-identified data is now commonly used as a means for organizations to leverage the potential of their data holdings for innovation in a manner that respects the privacy interests of individuals. De-identification of personal information can serve to materially limit (if not virtually eliminate) the risk and impact to an individual. There is no need to impose an additional requirement for consent for the collection, use, and disclosure of de-identified data, and a consent requirement for the processing of de-identified data would have unnecessary, and potentially severe, adverse consequences for innovation.

To remove any legal uncertainty regarding the authority under PIPEDA to process de-identified data, and consistent with the legislative approach under provincial health privacy statutes, ^{Footnote 28} we recommend that PIPEDA be amended to clarify and expressly authorize organizations to de-identify personal information without the necessity of consent. And consistent with the approach taken in the Ontario health privacy arena, stakeholders would be best served with guidance to assist organizations with the continually evolving industry standards for effective de-identification processes.^{Footnote 29}

Ethical Assessments

The Discussion Paper includes an excellent discussion about the potential role of ethical assessments to balance the legitimate needs of organizations with the privacy interests of individuals.

An assessment process that considers the ethical impact of data processing activities can be a helpful part of an organization’s efforts to respectfully treat data in their custody and control, specifically by providing an organization with a framework for establishing that the purpose and nature of a personal information processing activity is “reasonable”, “legitimate” and “appropriate”.

Notably, the type of ethical assessment process described in the Discussion Paper, in particular the framework being developed by the Information Accountability Foundation (IAF), is broader in scope than the typical privacy impact assessment process. For instance, the IAF framework involves a consideration of data (including personal information), so aspects of this type of process assess data in aggregate, non-identifiable form and, therefore, are outside the scope of PIPEDA. But to the extent an ethical assessment process can be used to consider and appropriately mitigate the impact of a personal information practice, such a process could presumably supplement (or be woven into) the organization’s privacy impact assessment process. In this regard, ethical assessment processes would serve to enhance an organization’s privacy management program and compliance with its accountability obligations under PIPEDA.

No Necessity for Additional OPC Enforcement Powers

PIPEDA currently provides the OPC with a suite of powers to enforce compliance with the Act. These include the power to investigate complaints,^{Footnote 30} self-initiate an investigation,^{Footnote 31} commence an audit,^{Footnote 32} compel production of information,^{Footnote 33} summon witnesses,^{Footnote 34} enter premises,^{Footnote 35} publicly name organizations,^{Footnote 36} enter into compliance agreements,^{Footnote 37} and issue fines with respect to contraventions of the pending security breach notification requirements.^{Footnote 38} The OPC also has discretion to enter into information sharing arrangements with its foreign counterparts for, among other things, enforcement purposes.^{Footnote 39}

Given PIPEDA’s balancing of interests framework, a remarkable feature of PIPEDA’s enforcement regime is that the statute does not include an express rights for organizations to challenge the OPC’s exercise of its enforcement powers. For instance, organizations have no express right under the statue to refer a subject matter of complaint to the Federal Court, nor is there a process within PIPEDA for organizations to challenge a determination by the OPC that a given incident gives rise to a “real risk of significant harm” to affected individuals,^{Footnote 40} or a fine levied by the OPC in connection therewith.^{Footnote 41}

In any event, the OPC does not require additional powers to oversee compliance or enforce any of the proposed solutions set out in the Discussion Paper. There do not appear to be compelling examples illustrating precisely why the existing arsenal of OPC powers is insufficient. On the contrary, to date, the OPC has have been remarkably successful in carrying out its statutory mandate under PIPEDA. The OPC has been highly respected in the international privacy arena for years, and as a direct result of the OPC's enforcement activities, Canada is now regarded as one of the leading jurisdictions globally, exploring privacy issues associated with new technologies.

It is critically important to meaningfully preserve PIPEDA’s “balancing of interests” framework. Any enhancement of OPC enforcement power needs to be thoughtfully considered through this lens, and requires a thorough, multi-stakeholder consultation.

Thank you again for opportunity to respond to the Discussion Paper. IAB Canada looks forward to participating in the forthcoming consultation.

Submitted on behalf of IAB Canada by:

Sonia Carreno
President
IAB Canada

Adam Kardash
Counsel
IAB Canada

Footnote 1

Office of the Privacy Commissioner of Canada, Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act, May 2016.

Return to footnote 1

Footnote 2

Englander v. Telus Communications, 2004 FCA 387 at paras. 38 and 46.

Return to footnote 2

Footnote 3

Principle 4.1 in Schedule 1 of PIPEDA.

Return to footnote 3

Footnote 4

Principle 4.1.4 in Schedule 1 of PIPEDA.

Return to footnote 4

Footnote 5

Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, and Office of the Information and Privacy Commissioner for British Columbia, Getting Accountability Right with a Privacy Management Program, 2012, at p. 1 (the “Joint Accountability Guidance”).

Return to footnote 5

Footnote 6

Principle 4.3.1 in Schedule 1 to PIPEDA and section 6.1 of PIPEDA.

Return to footnote 6

Footnote 7

Sections 7(1) of PIPEDA (Collection without knowledge or consent); 7(2) (Use without knowledge or consent); 7(3) (Disclosure without knowledge or consent); 7(4) (Use without consent); 7(5) (Disclosure without consent); 7.2(1) (Prospective business transaction); 7.2(2) (Completed business transaction); 7.3 (Employment relationship); 7.4(1) (Use without consent); and 7.4(2) (Disclosure without consent).

Return to footnote 7

Footnote 8

Indeed, this is reflected in the Joint Accountability Guidance where there are minimal references to consent among the 100+ expectations for privacy management programs within the 26-page guidance document.

Return to footnote 8

Footnote 9

Englander v. Telus Communications, 2004 FCA 387 at para. 46.

Return to footnote 9

Footnote 10

Office of the Privacy Commissioner of Canada, updated in December 2015.

Return to footnote 10

Footnote 11

The OBA Guidance provides that implied consent (opt-out) for OBA could be considered reasonable if: individuals are made aware of the purposes for the practice in a clear and understandable manner; individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA; individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected; the opt-out takes effect immediately and is persistent; the information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and information collected and used is destroyed as soon as possible or effectively de-identified.

Return to footnote 11

Footnote 12

Office of the Privacy Commissioner of Canada, Guidelines for Online Consent, May 2014 available at and see Office of the Privacy Commissioner of Canada, Interpretation Bulletin: Form of Consent, March 2014.

Return to footnote 12

Footnote 13

For a list of companies participating in the AdChoices program, please see Participating Companies.

Return to footnote 13

Footnote 14

For instance, the phrase “explicitly specified” would presumably be informed by PIPEDA Principle 4.2 Identifying Purposes, and Principle 4.8 Openness. Moreover, the data minimization wording (“beyond that required”) would appear consistent with, and informed by, Principle 4 (Limited of Collection) and, more broadly, Section 5(3).

Return to footnote 14

Footnote 15

OPC, Consent and privacy, supra note 1 at 11-12.

Return to footnote 15

Footnote 16

Ibid at 12-13.

Return to footnote 16

Footnote 17

Ibid at 15-16.

Return to footnote 17

Footnote 18

Ibid at 13-14.

Return to footnote 18

Footnote 19

Ibid at 20-21.

Return to footnote 19

Footnote 20

Ibid at 22-23.

Return to footnote 20

Footnote 21

See, for instance, the following guidance issued by your Office: Office of the Privacy Commissioner of Canada, Guidelines on Privacy and Online Behavioural Advertising, updated in December 2015; Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta, and Office of the Information & Privacy Commissioner for British Columbia, Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps, 2012; and Office of the Privacy Commissioner of Canada, Guidelines for Online Consent, 2014.

Return to footnote 21

Footnote 22

See, for instance, the exceptions to consent for disclosure of personal information for investigation purposes, and fraud detection and prevention purposes, in Sections 7(3)(d.1) and 7(3)(d.2), respectively. Both of these exceptions to consent set out several elements that organizations must satisfy in order to rely upon these authorities for disclosure without consent.

Return to footnote 22

Footnote 23

For instance, an organization must still comply with Section 5(3), as well as PIPEDA’s safeguarding (Principle 4.7) and data minimization requirements (Principles 4.3.3 and 4.4).

Return to footnote 23

Footnote 24

Hopefully, the Federal Government will begin consideration of these (and other) amendments by commencing the long-overdue second mandated statutory review of PIPEDA so that these (and other necessary amendments to PIPEDA) can be incorporated into the Act. PIPEDA requires Parliament to review Part 1 of the Act every five years (Section 29). The second mandated review of PIPEDA, which should have commenced in 2011, has yet to be initiated.

Return to footnote 24

Footnote 25

Section 7(2)(c) specifically provides that an organization may use personal information without consent if “(c) it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used.”

Return to footnote 25

Footnote 26

Regulations Specifying Publicly Available Information, SOR/2001-7.

Return to footnote 26

Footnote 27

See, for instance, the reference in s. 1(a) of the Regulations to name, address and telephone number in relation to “a subscriber that appears in a telephone directory”.

Return to footnote 27

Footnote 28

Provincial health privacy statutes expressly authorize organizations to de-identify data (without the necessity to obtain an additional consent). See, for instance, section 37(1)(f) of Ontario’s Personal Health Information Protection Act, which provides that health information custodians are permitted to use personal information for the purposes of “modifying the information in order to conceal the identity of the individual.” Similarly, under Alberta’s Health Information Act, custodians may strip, encode or otherwise transform individually identifying health information to create non-identifying health information (s. 65). See, also, section 26(2)(b) of Saskatchewan’s Health Information Protection Act; sections 21(e) and 22(2)(g.3) of Manitoba’s Personal Health Information Act; sections 34(1)(q) and 51 of New Brunswick’s Personal Health Information Privacy and Access Act; section 49(3) of Nova Scotia’s Personal Health Information Act; section 21 of Newfoundland and Labrador’s Personal Health Information Act; sections 22(5)(h), 22(5)(r), and 40 of Prince Edward Island’s Health Information Act [not yet in force]; section 36(1) of Northwest Territories’ Health Information Act; and section 56(1)(h) of Yukon’s Health Information Privacy and Management Act [not yet in force].

Return to footnote 28

Footnote 29