Submission to the OPC’s Consultation on Consent under PIPEDA (Nova Scotia OIPC)

Nova Scotia Office of the Information & Privacy Commissioner

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Dear Daniel:

I read with interest your office’s consultation paper on consent and privacy. These are certainly challenging issues and the paper does a very nice job of organizing the issues and ideas. We had a discussion among the staff here in the Nova Scotia OIPC regarding the content of the paper and the consultation questions in particular. My comments below reflect our combined wisdom. I hope it is of some help to you and your staff as you work through these issues.

Perhaps it is no surprise that the majority of us are in the enhancing consent camp when it comes to possible solutions. We believe that the best way forward is to firmly acknowledge that data containing personal information belongs to the data subject and that any solution needs to re-inforce that.

So, for example, the idea that data could be tagged with the individual’s privacy choices and used only in accordance with those choices is a solution we prefer. Also, the idea of “sticky” privacy to control how packages of personal data are released and used sounds promising. Our experience with controls leads us to recommend that solutions be found in the technology. Requiring individuals to take more than a few steps to protect their own privacy or requiring businesses to act ethically will not be universally effective in our opinion. More is required.

We believe that the rights given to data subjects under the GDPR could be an important improvement to Canadian law. Particularly the idea of data portability and the right to be forgotten. These two rights further support the idea that the data belongs to the data subject and give the data subject meaningful substantive control over the data.

We do acknowledge that there must also be some other authorities for the use of personal data other than consent. We say this because we are concerned with how meaningful some consent models are. Of course improving the quality of consent is important but as your paper notes, it is not possible to anticipate all future uses at the time consent is obtained.

Therefore, we also agree that it is important to layer on other tests such as the PIPEDA s. 5(3) test. We see the legitimate business interest test in the GDPR as offering an opportunity to perhaps layer in better guidance than 5(3) by importing ideas of human rights into the equation. This does not have to be a broadening of permissible grounds for processing, rather a clarification and perhaps a tightening in some ways because of the need to balance the interests with the fundamental rights of the individual. Ethical assessments could likewise serve to further flesh out what a legitimate interest might be (i.e. not unethical at the very least).

In terms of statutory changes our experience and yours too I know, is that these changes take far too long. We need action now to prevent further undermining of citizens’ privacy rights. I think taking a policy guidance position that the purposes a reasonable person would consider are appropriate under s. 5(3) now include an expectation that a big data or IOT project will be ethical and will not violate the fundamental human rights of data subjects is worth advancing. Bringing the 5(3) standard more closely into alignment with the GDPR’s legitimate business interest test would also be good for business.

With respect to no-go zones this definitely has some appeal. It’s simple, straightforward and easy to assess whether or not the zone has been breached. But short of a statutory provision, such a no-go zone would really be for now, part of the guidance the OIPC could give in terms of what is ethically acceptable under the existing 5(3) test.

Otherwise, as noted above, promoting technical privacy solutions we think can have the most immediate and substantial effect on privacy rights.

I hope these thoughts are of some use to you and your staff. Thanks for all your work on this issue. It prompted a very interesting discussion here.

Yours truly,

Catherine Tully
Information and Privacy Commissioner for Nova Scotia