Enabling Innovation Through An Enhanced Consent Model

Kirsten Thompson (Partner and Co-Lead, McCarthy Tetrault’s national Cybersecurity, Privacy and Data Protection group)

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Summary^{Footnote 1}

The current consent model is adequate for most contexts, but needs to be elaborated upon to address the digital world that is being created as technology and economics increasingly encourage organizations to be data driven.

PIPEDA aims to be technology-neutral and flexible. Prescriptive legislative amendments run counter to this and do little to ensure the regulatory environment remains current. Amendments will be necessary, but should be broad in nature and concept, and support more nuanced responses to technological challenges through the mechanisms of policy and guidance.

As consumers have become more sophisticated, so too have their expectations. As a consequence, the collection and use of relatively innocuous forms of personal information as a routine part of digital business should be presumed. Privacy policies should reflect this, with non- obvious and complex uses given priority, and routine “ordinary course” uses de-emphasised to remove clutter and to cut length.

Processing of personal information for the purpose of “legitimate interests” should be made to be on par with consent as a permitted basis for an organization to process information and should be incorporated into PIPEDA. The current “reasonableness” test is too restrictive, impeding legitimate business and stifling innovation. Given the pace of technology, and the competitive business environment, there is a need to do this in relatively short order.

The quid pro quo for organizations wishing to take advantage of this expansion of permissible uses should be that they be transparent about their practices. Organizations which rely on legitimate interest as a basis for processing information could demonstrate accountability by undertaking an analysis of the risk of such reliance, with such analysis including the nature of the use of analytics, types of information used, risk of harm, proportionality, applicable mitigation controls (e.g. anonymization), and so on. In this regard, OPC guidance as to best practices in respect of the establishment of legitimate interest and governance frameworks for analytics would be the mechanism by which an organization could demonstrate such accountability.

Finally, the OPC should move quickly to clarify that the processing of personal information in order to anonymise or de-identify it is not, in and of itself, a "use" of personal information for which consent is required. The de-identifying of personal information in circumstances where there is no serious possibility of re-identification should be accepted as a permissible use (so long as the personal information being used for a secondary purpose is being used in a manner that will not negatively impact the individuals concerned).

The link to the full submission will be available shortly.