Submission to the OPC’s Consultation on Consent under PIPEDA (Shaw)

Shaw Communications Inc.

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Summary

As a major connectivity provider operating in a highly competitive market, Shaw is committed to respecting the privacy of our customers. While our approach to privacy is fully consistent with applicable law, we recognize it as being integral to delivering exceptional customer experience − a fundamental component of Shaw’s philosophy. In today’s complex environment, ensuring the consensual collection and use of PI is of paramount importance. Trust is the common denominator that enables individuals to enjoy an evolving range of products and services, and businesses to succeed by maintaining customer satisfaction.

Products and services are becoming increasingly sophisticated, as is consumer understanding of such products and services and their potential benefits. Ensuring that organizations can satisfy changing customer demands and expectations calls for balancing appropriate safeguards and reasonable flexibility in Canada’s privacy framework. This will allow parties to maximize personal and commercial returns from new technologies, and will ensure that Canadians benefit from a robust and innovative domestic digital economy.

PIPEDA has created a solid, yet flexible, consent framework. In response to changes in the ways in which PI has been collected since PIPEDA’s inception, the OPC has issued invaluable guidance. PIPEDA’s application can continue to evolve to meet the demands of the changing environment without any fundamental re-working or an overly rigid approach to interpretation. A continued flexible and collaborative approach will support individuals’ expectations and best interests, as well as innovation, while obviating the need for costly regulatory measures (such as third-party certifications or new enforcement provisions) that could have a chilling effect on the digital economy.

Discussion Paper solutions which we consider to have merit include the proposal for greater transparency in privacy policies and notices, which Shaw believes should include measures to enable the provision of simpler, easy-to-understand privacy policies and disclosures to increase their efficacy and the quality of consent. Disclosure related to PI usages undertaken to facilitate the mere delivery of the product(s) or service(s) should be permitted to be streamlined. A revised approach to transparency should focus on:

how PI is collected for purposes beyond the basic activities required to deliver a product or service,
identifying initiatives that involve the collection and usage of sensitive PI or the creation of profiles, and
identifying clearly situations in which PI is provided to third parties for commercial purposes.

Shaw also supports further consideration of information that may be collected without consent pursuant to “legitimate business interests”, and the development of voluntary industry codes of best privacy practices in consultation with the OPC. Such codes may address acceptable practices concerning data de-identification and aggregation, and the collection of anonymous data linked to device identifiers.

Additional solutions that would be helpful to address consent challenges include:

careful adherence to the principle of technological and sectoral neutrality in establishing and interpreting consent requirements. This will avoid confusion among individuals concerning uses of their PI, frustration of their expectations, and the creation of competitive disparities among different sectors.
avoidance of an overly broad interpretation of what constitutes PI that could lead to inappropriate restrictions on the collection and use of information not tied to an individual, such as data collected in association with an anonymous device identifier. Such interpretation can confuse individuals from whom consent is sought and undermine economic activity. Appropriate internal organizational policies can ensure privacy with respect to such information.
recognition that certain uses of PI may not require consent, such as basic information necessary to provide a customer with the fundamental services to which they subscribe.
evolution of Canada’s consent model to permit the safe usage of aggregate and anonymized data by setting clear and practical boundaries. To that end, Shaw supports the development of industry parameters for de-identification.

Finally, regarding the appropriate roles, responsibilities and authorities of parties for the purpose of developing solutions, Shaw does not believe that the introduction of administrative monetary penalties, certification requirements, or overly broad interpretations of PIPEDA would be helpful or appropriate. Overall, PIPEDA and the policy and enforcement approach developed pursuant to it remain appropriate and should generally be maintained. We support consideration of how industry may formulate best practices on which to base flexible legislative interpretations that benefit both individuals and organizations.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Shaw is a major Canadian enhanced connectivity provider. We serve over 3.2 million individual and business customers with a range of services, including broadband Internet, WiFi, video and digital phone. In addition, we recently acquired WIND Mobile, which provides wireless phone and internet services to over one million subscribers.

Shaw is deeply committed to respecting the privacy of its customers. We take care to ensure that any collection, use and/or disclosure of personal information (PI) occurs with the consent of the individual to which that information pertains (subject to very limited disclosures pursuant to the requests of public authorities, carefully overseen by us in strict accordance with the law). We also ensure that the purposes for which such PI is collected, used or disclosed is explained as clearly as possible. Every business activity or development at Shaw that has privacy implications is carefully examined to ensure it is acceptable, and any and all customer concerns about our treatment of their PI are discretely and carefully vetted.

Shaw’s approach is not taken solely, or even primarily, in satisfaction of our legal obligations. Instead, our respect for, and responsiveness to, privacy-related concerns and issues are integral to delivering exceptional customer experience. Providing this experience is central to Shaw’s philosophy and we work diligently to ensure that it is not undermined by privacy practices that are inconsistent with either customer expectations or the law.

Shaw agrees that the issues arising from what the Discussion Paper refers to as “an ecosystem of vast, complex information flows and ubiquitous computing”^{Footnote 1} merit a discussion about appropriate approaches to the protection of privacy going forward. Companies today strive to maximize opportunities in a rapidly-evolving, global digital marketplace, and individuals seek to maximize the benefits of cutting-edge products and services. For both groups, ensuring the consensual collection and use of PI is of paramount importance. Trust is the common denominator that enables individuals to benefit from innovation, and businesses to develop the strong relationships with customers that they need to succeed.

Shaw operates in a highly competitive market for connectivity services in western Canada. Customers have real choice and very high expectations with respect to the products and services that they receive. Championing their privacy is a critical element of earning and maintaining customer confidence and loyalty. At the same time, as products, services and customer understanding of the potential benefits of advanced data uses become increasingly sophisticated, ensuring that organizations can respond to customer needs and expectations and innovate requires striking a balance between reasonable flexibility and appropriate safeguards in Canada’s privacy framework. This, in turn, entails properly gauging and defining the extent to which we can and should rely on personal responsibility, market discipline, industry self-regulation, government policy and/or legal requirements to protect privacy while concurrently sustaining business certainty and opportunity.

Striking the right balance will allow individuals and businesses to benefit from new technologies. At the same time, this balance is crucial to the achievement of Canada’s broader innovation, pursuant to which Canadians will benefit from the development of a robust but fair digital economy in which they can participate as citizens, consumers, workers and investors. Ultimately, as the Discussion Paper submits:

Consent should not be burden for either individuals or organizations, nor should it pose a barrier to innovation and to the benefits of technological developments to individuals, organizations and societies.^{Footnote 2}

Shaw completely agrees with the above statement and appreciates the Discussion Paper’s acknowledgement that privacy concerns need to be addressed in a way that supports the many positive contributions of the digital economy to individual and collective well-being. Canada will benefit from a privacy model that supports innovative initiatives, such as big data analytics and relevant advertising programs. To the extent that our consent model is inflexible or burdens individuals either by under- or over-estimating their reasonable expectations concerning their PI, or by rendering consent-giving and consent-collection impractical, it will place our country at a distinct disadvantage in a globalized digital economy.

From that fundamental vantage point, Shaw is pleased to offer its general perspective on privacy, as well as initial and responses to certain questions posed by the Discussion Paper. Shaw confirms that we have read and understood the published consultation procedures and notes that our proposals herein have implications for consumers, the industry, the Office of the Privacy Commissioner of Canada (OPC) and government. These comments are in no way exhaustive. Shaw looks forward to continued engagement with the OPC and other interested parties as possible modifications to Canada’s privacy framework are further discussed and debated.

PIPEDA and Canada’s Existing Approach to Privacy

PIPEDA has created a solid, yet flexible, framework for gathering consent for the collection, storage and use of PI that has worked well to balance the interests of individuals and organizations. Since PIPEDA came into force fully in 2004, there has been a significant evolution in the ways in which PI is collected (an all-digital world offers many more points of entry), stored (cloud systems are becoming the norm) and used (for example to inform marketing departments and tailor advertising). OPC guidance has been issued over the years to respond to environmental changes and that guidance has been invaluable.

While the increased complexity of the changing ecosystem presents challenges for organizations in obtaining meaningful consent, and for individuals seeking to understand and manage the proposed uses of their PI, there is no need for a ground-up re-working of Canada’s privacy law framework or an overly-rigid approach to PIPEDA interpretation. Just as technology and the treatment of PI has evolved, so can and must application of PIPEDA.

As discussed below, flexible interpretation—including a broader approach to implied consent (and, when appropriate, the removal of consent requirements), avoidance of an expanded PIPEDA definition of PI, and industry consideration of self-regulatory best practices—will ensure that the privacy and broader interests of individuals, organizations and the public in the digital economy continue to be well-supported. The implementation of a flexible and collaborative approach obviates the need for costly programs involving third party certifications and seals, or new enforcement provisions.

Question 1 – Of the solutions identified in this paper, which one(s) has/have the most merit and why?

Greater Transparency in Privacy Policies and Notices

Shaw agrees that organizations should work towards more simplicity, transparency and user-friendly Privacy Policies to enhance individuals’ understanding of an organization’s practices that affect their PI.

Currently, the disclosure of most collection, use, retention and sharing of PI is required in order to establish consent, and such disclosure is frequently found in organizations’ privacy policies. To enable the provision of simpler, easy-to-understand privacy policies, disclosure related to the usages of PI undertaken to facilitate the mere delivery of the product(s) or service(s) to which a customer subscribes should be permitted to be streamlined. In that way, organizations and their customers can focus on “out of the ordinary” usages which demand the reader’s full attention. Compelling disclosure of all PI usage at the same level of detail in order to create an adequate breadth of consent unnecessarily complicates privacy policies and communications with customers in a manner that does not fundamentally assist them − particularly given that the PI practices upon which service delivery depends cannot be avoided.

Instead, companies should focus on:

Explaining in detail how PI is collected and used for purposes that go beyond the basic activities required to deliver a product or a service,
Identifying initiatives that involve the collection and usage of sensitive PI or the creation of profiles, and
Transparency regarding situations where PI is provided to third parties for commercial purposes.

The approach proposed above would clarify communications with customers and increase the efficacy of disclosures and the gathering of meaningful consent.

Legitimate Business Interests

Shaw believes there is merit in further consideration of information that may be collected and used without consent as a function of “legitimate business interests”. For example, Shaw submits that non-sensitive PI that is necessary for the provision of a particular good or service is an example of data collection and use that could potentially be relieved from any consent requirement on this ground, or specifically identified as an instance of “deemed consent”. The collection and use of such data for purposes of provisioning the subscribed services would be consistent with the reasonable expectations of the individual.

We note that this would be consistent with the approach taken to consent to network upgrades pursuant to s.6(b) of the Regulations introduced pursuant to Canada’s Anti-Spam Law.^{Footnote 3} In introducing s.6(b), Industry Canada accepted stakeholder submissions that:

it is reasonable to assume that a person would consent to the installation of computer programs to update or upgrade a TSP's network. To address this concern, the Regulations provide for deemed consent for TSPs to install computer programs to update or upgrade their networks.^{Footnote 4}

While Shaw supports further consideration of what practices may appropriately be relieved of regulatory requirements because they represent “legitimate business interests”, care must be taken to ensure that the concept does not result in the introduction of a competitive advantage particular kinds of businesses or technologies to the detriment of others. To that end, sufficient guidance and examples of what constitutes legitimate interest should be established to provide a common standard and enable organizations to use the concept in a manner that ensures that functional business considerations are consistent with consumers’ privacy interests.

Voluntary Industry Codes of Best Practices

Shaw supports further consideration of the development of voluntary industry codes of best practices with respect to activities such as data de-identification and aggregation, and protocols to ensure the anonymity of data collected in connection with a device identifier. The goal of best practice or code development would be to establish a light-handed regulatory approach to activities where privacy concerns can be mitigated by the articulation of practical, self-regulatory parameters. The provision of specific regulation or even generalized guidance on emerging practices runs a risk of being overly broad and out of proportion to risk. It may also undermine Canadian companies’ incentive to innovate and competitiveness, and limit the benefits enuring to Canadians from innovation.

In contrast to formal policy decisions or rules, voluntary industry codes can achieve meaningful practical guidance that can evolve over time as technology and market practices change. While such codes may reside with a particular industry group (sectoral or functional, as circumstances require), the deliberations that serve as their basis can accommodate collaboration with and input from the OPC. This will provide the OPC with the opportunity to understand the goals and modalities of particular practices while, conversely, enabling data collectors and users to understand and respond to the OPC’s concerns so that parties may agree on an acceptable practice and a manageable self-regulatory approach.

Shaw is currently engaged in another collaborative effort with government and industry stakeholders to arrive at a voluntary agreement on energy efficiency for cable and satellite set-top boxes. The experience has been positive and all participants are hopeful of a mutually-acceptable, non-regulated outcome. The openness and fulsome collaboration that has characterized this process has enabled all stakeholders to realize the core concerns of the other and to reach cost-effective and practical energy consumption commitments that respect the public interest and the importance of innovation.

This experience supports our conviction in the potential efficacy of voluntary industry codes related to data collection and use practices. That being said, Shaw does not believe there is any need for the OPC to formally “approve” a particular Code or for any third parties to grant privacy “seals” or certifications. In a rapidly evolving and highly competitive environment, the creation of new layers of requirements and administration costs would be counter-productive.

Question 2 – What solutions has the OPC not identified that would be helpful in addressing consent challenges and why?

Shaw believes that certain steps can be taken to improve the current consent model. Specifically, as described below:

the principle of technological and sectoral neutrality should be respected in arriving at and implementing interpretations with respect to consent requirements,
the PIPEDA definition of PI should not be interpreted in an overly broad fashion,
certain uses may not require consent,
the usage of de-identified personal information should be permitted without consent.

i) The Principle of Technological and Sectoral Neutrality

In order to continue to support organizations in meeting the legislative standard, guidelines and recommendations must apply consistently across industries to avoid competitive disparities among different sectors rooted in privacy requirements. Online behavioural advertising is an example of an area that has been subject to legal interpretation that created such disparities, which in turn triggered disincentives to invest and business uncertainty.

Shaw respectfully submits that the same functional activities engaged in by two different kinds of organization should be dealt with similarly, when the data collected is non-personal or de-identified and the purposes for collection are similar. Disparate legal or regulatory treatment of the same functional practices conducted by two kinds of businesses can cause confusion on behalf of individuals with respect to the collection and use of their PI. Moreover, behavioural advertising can provide enormous benefits both to users and corporations and can even, in the case of use by licensed broadcasting undertakings, help such licensees fulfill legislated public policy objectives that depend on the continued competitiveness of the Canadian industry.

In short, as long as common boundaries and ethical principles are followed (which could, for example, be the subject of an industry code) the benefits of a particular data collection and use practice should not be afforded to one party but denied to another pursuant to an uneven application of regulation or policy. The protection of personal information, and the opportunity to collect and use data pursuant to a particular standard (e.g. no consent, implied consent or express consent) should be consistent across the board, both so that individuals have a consistent understanding of the use of their PI and so that there is competitive parity as between different organizations.

ii) The PIPEDA Definition of PI Should Not Interpreted in an Overly-Broad Fashion

The definition of PI and scope of its application is critical when looking at the implementation of the Canadian consent model. An overly-broad application of the definition can lead to excessive limitations on collection and usage of information that is not tied to any individual and that in no way endangers customer privacy. It can also confuse customers required to consent to such usages, and to a loss of economic opportunity.

Organizations commonly rely on data collected in connection with a device identifier, knowing that they have the capability to tie this device identifier to a customer account. Organizations are aware that tying the device identifier back to a user would make the information personal in nature and, accordingly, have policies in place to determine if and when such linkage may take place, for what purpose(s) and, in such circumstances, what privacy protocols will apply. Organizations are also aware that they must impose restrictions on any third party that would access this data, and especially prohibit any form of reverse engineering of the data.

Internal policies should be sufficient to ensure that information tied to a device can be used by an organization without jeopardizing the privacy of its customers. That said, available interpretation guidelines suggest that the category of information described above, even when linkage to an individual is excluded, could be seen as usage of information about an “identifiable” individual. The mere abstract possibility of tying the information back to a user should not lead to a determination that the information is personal and therefore subject to PIPEDA, when programs and policies are in place that indicate that such connection shall not be made in the absence of adherence to appropriate privacy protocols.

iii) Certain Uses of PI May Not Require Consent

Shaw fully supports the dual model of implied/express consent established by PIPEDA. This consent model must evolve to support increasingly complex usage of data, taking into account that some data usage only impacts information that is non-personal in nature, aggregated and/or de-identified, other usages are so obvious to individuals in the context of their relationship with the provider of goods and services that they may not require consent at all.

Sensitivity of personal information and purpose for collection should be the driving factors in determining in which circumstances consent should be required.

As discussed above, requiring consent, even in an implied form, to use basic information necessary to provide the services a customer has decided to subscribe to, creates an unnecessary burden and the potential for customer confusion and frustration. Every time consent is sought, it triggers an opt-out requirement, which is problematic and complicated to offer when applied to personal information required to deliver a service. When exercised by a customer, it puts an organization in a difficult position of having to terminate the services provided to the customer. Such a requirement does not support basic economic activity and collection of information for the purpose of provisioning a product or service should be considered a “legitimate use” that does not trigger consent.

We believe that focusing on the handling of more critical usages of personal information, and lessening the consent obligations for basic personal information required to provide a service, is in the interest of both the public and corporations, and, generally speaking, would support beneficial commercial activity.

iv) Usage of Aggregate, Anonymized PI Should Be Permitted Without Consent

To support IoT and Big Data initiatives, the Canadian consent model must evolve to support the safe usage of aggregate and anonymized data, by setting clear and practical boundaries.

Companies currently utilize information in many ways to understand customers. The usage of data analytics presents significant benefits to both organizations and users of their services. Not only can it help to ensure that consumers are provided with (or afforded the opportunity to receive customized services and information), information gathered in this way avoids the need for more time-consuming and inaccurate information gathering practices (such as surveys, for example) that can encroach on individuals’ time and is less equipped to accurately discern their preferences. Recommendation engines are an example of how this new form of intelligence works and how it benefits everyone.

While Shaw supports an ongoing dialogue with a view to developing industry parameters for de-identification, no consent should be required for the collection, use and disclosure of de-identified data.

Question 3 – What roles, responsibilities and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system?

Shaw believes that PIPEDA and the policy and enforcement approach developed pursuant to it continue to be appropriate and should be maintained. This model affords the OPC the ability to undertake detailed analyses of emerging policy issues and particular incidents, and to formulate appropriate guidance and direction. As discussed above, the devolution of enhanced responsibilities on industry to formulate voluntary best practices upon which to base flexible legislative interpretations can be of assistance in maintaining a highly adaptive and functional privacy regime as the digital economy evolves.

Complaint-driven decisions, which leave open the possibility of private legal action but carry no administrative monetary penalties (AMPs), have been an effective way to address and modify problematic privacy practices. At the same time, they avoid the real potential for a chill on innovation that would result from AMPs. Other instances of legislation related to privacy (specifically, Canada’s Anti-Spam Law, known as “CASL”) may have unwittingly negatively impacted Canada’s digital economy by employing very broad language in defining obligations, and providing for narrow exceptions and the potential for significant AMPs. Taken together, these features have engendered a very conservative approach to statutory interpretation that has arguably reduced companies’ ability to communicate effectively with their customers, even with respect to practical matters intended to improve customer service in connection with matters that in no way constitute conscious marketing. By contrast, the flexibility of PIPEDA and the current powers and responsibilities of the OPC, will allow Canada’s privacy law to evolve in an appropriate way that reflects multi-faceted public and private interests.

Conclusion

Shaw appreciates the OPC’s initiation of a process to consider the continued viability of the consent model for the collection and use of PI in the emerging digital economy. In general, we continue to support the consent model, recognizing that adjustments, such as those proposed herein, can simplify consent gathering while concurrently enhancing individuals’ understanding and management of uses of their PI.

The efficacy of any consent model, going forward, depends largely on its taking into account the reasonable and “common sense” expectations of individuals, and the fair and reasonable treatment of PI by organizations. Overly prescriptive requirements based on a false assumption that organizations are inherently disrespectful of privacy, piecemeal policy development that creates competitive disparities between technologies and sectors, and excessive approaches to enforcement will undermine Canada’s ability to thrive in the digital economy. Accordingly, we are appreciative that the Discussion paper recognizes a strong public interest not only in privacy, but also in innovation.

From that vantage point, Shaw looks forward to reviewing the submissions of other stakeholders and to participating in future consultations on this issue.

Yours truly,

Cynthia Rathwell
Assistant General Counsel, Legislative and Regulatory Strategy
Shaw Communications Inc.

Date modified:: 2016-10-05

Language selection

Search and menus

Search