Submission to the OPC’s Consultation on Consent under PIPEDA (Canadian Bankers Association)

Canadian Bankers Association

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

The Canadian Bankers Association (CBAFootnote 1), on behalf of its members, is providing comments on Consent and Privacy: A discussion paper exploring the potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (the Paper).

The banking industry continues to be a leader in innovation and adopting new technologies while fostering customer trust and confidence.  Privacy is a cornerstone in building that trust.

We agree with the statement in the Paper that consent should not “pose a barrier to innovation and to the benefits of technological developments to individuals, organizations and society”. Canadian banks have a long track record of developing and adopting technology to serve their customers. Constantly looking to the future, banks have established internal innovation hubs and partnered with outside organizations, including universities, incubators, and technology companies, to pursue, design and deliver digital innovations and solutions for bank customers. We believe that limited changes within the existing PIPEDA framework would allow increased flexibility to organizations while still balancing the individual’s right to privacy.

Banks also understand the need for strong governance. The banking industry was the first to go beyond a statement of general privacy principles and develop a comprehensive privacy code of conduct in 1987. Banks have implemented, maintained and improved upon their existing internal controls and supporting policies and procedures since the implementation of PIPEDA in 2001. Canadian banks have a strong risk management regime including with respect to compliance and reputational risk. Banks must comply with OSFI Guideline E-13 – Regulatory Compliance Management, which requires a framework for identifying, risk-assessing, communicating, managing, and mitigating regulatory compliance risk, including compliance with PIPEDA. Furthermore, banks have established governance and project management procedures that facilitate Privacy by Design (PbD) when developing new products and processes.

We believe that the current legislative framework has been largely effective.  PIPEDA is principles based and technologically neutral and can continue to provide the necessary framework for new technologies and business models including the use of big data. PIPEDA balances an individual’s right to privacy and the need of organizations to collect, use or disclose personal information.  Subsection 5(3) of PIPEDA serves as a limit to the collection, use and disclosure of personal information to that for which a reasonable person would consider appropriate in the circumstances.

However, as the use and processing of personal data becomes more varied and complex, it may become more difficult to provide clear and simple methods for customers to understand how their personal data will be used and to decide when to withdraw consent.  The existing PIPEDA framework can be utilized with a few revisions to allow for the evolution of the consent model.  The CBA suggests the following:

  • Consent should be just one of the legal grounds on which personal information can be processed similar to the EU General Data Protection Regulation;
  • Section 7 of PIPEDA could be revised to add additional exceptions to allow organizations to process personal information for legitimate business interests and consistent use;
  • The definition of “publicly available” in the regulations could be amended to include all instances where individuals chose to make their information available to the public to be more reflective of the current environment;
  • Certain PIPEDA principles could be reconsidered.  In particular, guidance on Principle 4.3.3 could be provided to allow for a broadened application of “legitimate purposes” to support current technological advances. 

We support a combination of the solutions outlined in the Paper. In addition to changes to PIPEDA that would allow for other legitimate grounds for processing data beyond consent, we would also support the development of codes of practice. Codes of practice based on activity rather than separate codes for each industry sector could serve to provide practical guidance on certain issues, for example de-identification.

The OPC is well positioned to provide effective oversight for new or enhanced consent rules. The OPC already has broad oversight and enforcement powers including the ability to conduct audits of the privacy policies and practices of organizations and to enter into compliance agreements with organizations. The OPC can also provide effective guidance to the industry. We do not believe that any further powers for the OPC are required in connection with the implementation of new mechanisms to support the consent model.

These views are further articulated in our responses below to the specific questions in the Paper.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Enhancing Consent

Question 1: What measures have the potential to enhance consent and how should their development/adoption be promoted?

We believe that the existing framework is generally working well. PIPEDA is and should remain flexible in order to allow each organization to determine its own approach to obtaining consent that best meets its customers’ needs and provides a positive client experience.

The current flexibility within PIPEDA also allows the OPC to provide guidance as technology evolves similar to the Guidelines for Online Consent.

To enhance the consent model, we suggest leveraging various stakeholders to assist with raising the public’s awareness and understanding of the role of the individual in the privacy framework.

Further, introducing additional grounds such as legitimate business interests and consistent use that would permit organizations to collect, use and disclose personal information without consent would provide a means to streamline and simplify privacy notices.  Simplifying privacy notices would facilitate a more informed consent process.  Consumers could focus on information that is the most important to them and that they can action (e.g. secondary uses of personal information where consent can be revoked).

Question 2: What incentives should exist for organizations to implement greater transparency and privacy preference mechanisms to enhance individuals’ ability to provide consent?

Organizations already have a strong incentive to enhance their customers’ ability to provide consent. Building customers’ trust through transparency and other methods is a business necessity.  Market factors will adequately manage to this need. Customers have a long standing trust for banks, in how they manage their personal information. There is no need for legislative incentives in this regard.

Question 3: How should PbD be treated in the context of Canada’s privacy law framework?  Should this concept merely be encouraged as a desirable aspect of an accountability regime? Or should it be a legislated requirement as it will soon be in Europe?

Canada has been a leader in this space. PbD is reflective of the fair information privacy principles which are outlined in Schedule 1 of PIPEDA and is embedded in OPC guidance. The banking industry has long used PbD as a tool to facilitate compliance with PIPEDA. The OPC currently has the necessary oversight mechanisms to ensure organizations use PbD approaches. Therefore, in our view, there is no need to legislate further in this area.

Alternatives to Consent

De-identification

Question 1: What are the criteria for assessing and classifying risk of re-identification?

A typical risk assessment matrix would include the likelihood of an event (re-identification) occurring and the impact of an event (degree of infringement of an individual’s privacy in the event of re-identification).  The controls that are implemented (contracts, access controls, limitations on the amount and type of information that is accessible, etc.) must be considered in order to determine the residual risk.

In PIPEDA, 4.7 Principle 7 – Safeguards adequately sets out the factors to be considered when designing methods to safeguard information including the sensitivity of the information, the amount, distribution, and format of the information and the method of storage.

Question 2: Should consent be required for the collection, use and disclosure of de-identified data? If so, under what conditions?

De-identified information is not considered personal information unless there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.  Accordingly, it does not fall within PIPEDA’s framework and consent is not required.

Question 3:  Is there a workable, risk-based approach that can vary the stringency of the consent requirement with the risk of re-identifiability of data?

We do not believe that there should be a consent requirement for de-identified data. An organization is responsible for the information in its possession or under its control and must have the necessary safeguards to meet that obligation.  In the event that information became re-identified which resulted in unauthorized access or use of the personal information, the breach notification and reporting provisions would be triggered. Further, the process of de-identification should be considered a legitimate business process that can enhance privacy use and safeguarding practices and should not require consent. There should be an exception to consent for the purpose of disposing of information or modifying information to conceal the identity of the individual.

Question 4: What role should contractual backstops play?  Are there other ways to protect de-identified data?

PIPEDA already puts the accountability on organizations to protect the personal information under their control. Contracts with third parties are currently recognized as a method to protect information, whether through an outsourcing arrangement or the sharing of de-identified information.  Banks must also comply with OSFI Guideline B-10 – Outsourcing of Business Activities, Functions and Processes. Evergreen guidance and codes of practice on de-identification could help to provide clarity and promote best practices across industries.

“No-Go Zones”

Questions 1: If subsection 5(3) can offer the possibility of true prohibitions, what should some of these prohibitions be?

We believe that subsection 5(3) is sufficient as it is contextual in nature and provides for flexibility. Given the speed of innovation the contextual nature of subsection 5(3) is preferable. Specific “no-go zones” may quickly become ineffective due to advances in technology or changes in public perception.

Question 2: Is subsection 5(3) sufficient or do we need further rules regarding “No Go zones” for collection, use and disclosure, such as those involving potentially discriminatory practices or when children are involved?

We believe that subsection 5(3) in combination with other existing legislation and regulatory and industry codes is sufficient.  For example, the Canadian Human Rights Act and similar provincial legislation already prohibit discriminatory practices.

Question 3: Under PIPEDA, context and sensitivity help determine whether express or implied consent can be relied on. Should there be further rules depending on certain types of information or uses?

We believe that the current PIPEDA consent model which relies on context and sensitivity has worked well.

Legitimate business interests

Question 1: In the absence of consent, what grounds for lawful processing could authorize the collection, use and disclosure of personal information?

The grounds for processing personal information must provide the flexibility for innovation which is beneficial for consumers, industry and the economy. Processing data for legitimate business interests has long been recognized in the EU and will continue to be recognized in the EU General Data Protection Regulation. Expanding the grounds for lawful processing could also reduce the complexity of privacy notices, prevent privacy notice fatigue, and allow for individuals to have more precise and meaningful information that they can understand and use.

Processing personal information for legitimate business purposes that a consumer would consider reasonable and appropriate should not require consent. Examples of legitimate business purposes that should not require consent include:

  • For the purposes for which it was collected or created;
  • For the purposes of fulfilling a service (e.g. using information for authentication purposes, sharing information with service providers);
  • For planning, understanding or delivering products or services to customers in a proactive way to meet a customer’s changing needs;
  • For the purposes of risk management, error management or improving the quality of information;
  • For the purposes of meeting self-regulatory and regulatory requirements;
  • For educating employees, where de-identification would be impossible (customer service training);
  • For the purposes of disposing of information or modifying the information to conceal the identity of the individual.

We also believe that there should be an exception to consent for consistent use. Where a use or disclosure is consistent with the purpose for which the information was originally collected, we suggest that a new consent from the individual should not be required. Again this would support innovation and mitigate privacy notice fatigue.

Question 2: How do we ensure a fair and ethical assessment of grounds for lawful processing that ensure the proper balance is achieved?

Businesses should be expected to self-regulate in a manner that ensures that customer data is used appropriately in compliance with subsection 5(3) of PIPEDA. Protecting privacy and building trust is a market imperative.  Other consumer legislation and voluntary codes support the assurance of subsection 5(3) such as credit reporting legislation, human rights legislation, and online behavioural advertising standards. Further, banks have established governance frameworks to facilitate that personal information is collected, used and disclosed in a manner that a reasonable person would consider appropriate in the circumstances.

Question 3: What would be the role of regulators in assessing grounds for lawful processing?

The OPC already has broad oversight and enforcement powers including the ability to conduct audits of the privacy policies and practices of organizations, to enter into compliance agreements with organizations and to refer egregious non-compliance to the Federal Court. These enforcement powers can continue to be leveraged to ensure that organizations have effective processes and governance.

Governance

Codes of Practice

Question 1: Could sectoral codes of practice indeed enhance consent and/or privacy protection?

We believe that all codes of practice should be voluntary and based on activity and not a particular industry sector. Codes of practice can be instrumental in providing practical guidance and provide flexibility to allow for guidance to evolve as products, technology, business models, etc. change over time. We agree with the statement in the Paper that codes of practice can provide greater predictability and consistency for organizations in understanding their obligations and greater clarity for individuals that their information is being processed in a transparent and fair manner.

Question 2: How should they be enforceable?

We believe that codes of practice should be seen as best practices and should not be enforced by the regulator.

Question 3: Who should be involved in developing sectoral codes? Who should be responsible for overseeing compliance with sectoral codes?

Various models could be used including development through a broad base of organizations with similar activities or through stakeholders representing various interests such as consumers, academics and industry. As mentioned earlier, we believe that such codes should be voluntary, activity based and not enforced.

Privacy Trustmarks

Question1: Under what conditions are trustmarks a sensible and reliable tool for protecting consumer privacy in the evolving digital environment?

We believe these programs should be part of self-regulation and optional.

Question 2: How would a privacy seal program operate alongside PIPEDA

A privacy seal program should certify that an organization’s practices reflect the fair information privacy principles. As stated above, we believe these programs should be part of self-regulation and optional.

Ethical Assessments

Question 1: To what extent are the suggestions by CIPL, FPF and IAF helpful and practicable in assessing ethical uses?

The suggestions by these groups are helpful in brainstorming ways to balance an organization’s need to process personal information for legitimate purposes with individuals’ right to privacy. It is important to think of alternatives to consent where consent is not meaningful or necessary such as for legitimate business purposes or where there is a consistent use.

Question 2: To what extent can businesses be expected to self-regulate in a manner that protects individual privacy in the new digital age?

Businesses can be expected to self-regulate in a manner that protects individual privacy because protecting privacy and building trust is a market imperative. PbD allows for privacy principles to be incorporated at every stage of the development process and is a flexible tool that can address technology advances. With respect to the banking industry, banks have significant expertise in governance and risk management and are able to determine when the collection, use or disclosure of personal information is for a purpose that a reasonable person would consider appropriate in the circumstances.

Question 3: How should such ethics boards be created, composed and funded?  Who should they report to, and what should be their decision-making power?

We do not believe that ethics boards are necessary. PIPEDA already requires that organizations have policies and procedures to ensure compliance, including compliance with subsection 5(3). Further, any type of external review would be difficult to implement in the private sector where business confidentiality and waiver of privilege concerns could arise.

Conclusion

Question 1: Of the solutions identified in the paper, which one(s) has/have the most merit and why?

We believe that the solutions that allow for new grounds for the processing of personal data beyond consent (legitimate business interests, consistent use) and the development of voluntary, activity based codes of practice have the most merit. These changes would reduce the complexity of privacy notices, prevent privacy notice fatigue, and allow individuals to have more precise and meaningful information that they can understand and use. These solutions would also help to foster innovation and allow Canadian businesses to more easily provide their customers with new and improved products and services.

Question 2: What solutions have we not identified that would be helpful in addressing consent challenges and why?

The OPC could issue guidance to assist organizations in applying Principle 4.3.3 to a broader range of processing that meets the reasonable expectations of customers and balances the organization’s business needs, including the need to innovate.

The focus could be shifted from consent to transparency. Where organizations are transparent in how personal information will be used and such use is appropriate in the circumstances, this should be considered a condition of service for which the customer may not opt out of those uses.

Questions 3: What roles, responsibilities and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system?

Industry, consumers and the regulator all have a role to play:

  • The role of the OPC should remain consistent with its current mandate of education, providing guidance and using an ombudsman approach to resolving concerns raised by individuals;
  • Industry has the responsibility to be transparent in their practices, support fair information practices in a legitimate way, follow the guidance recommended by the OPC, and protect the personal information which they collect from their customers;
  • Consumers should understand their obligations when using products and services.  Consumers need to understand their rights but also their responsibilities.

Question 4: What, if any, legislative changes are required?

We would suggest legislative changes to section 7 of PIPEDA to allow for more exceptions to consent for legitimate business purposes. In the modern era, the use and processing of personal information has become not only more varied and complex, but also necessary, to foster innovation to meet the needs of customers.

Amendments to 4.3 Principle 3 – Consent of PIPEDA may also be required to ensure legislative requirements are duly harmonized.

What additional powers, if any, should be given to the OPC to oversee compliance and enforce new or enhanced consent rules?

The OPC already has broad oversight and enforcement powers including the ability to conduct audits of the privacy policies and practices of organizations, to enter into compliance agreements with organizations, and to refer non-compliance matters to Federal Court. As we have seen, the OPC can also provide effective guidance to the industry and consumers. We do not believe that further powers for the OPC are required in connection with the implementation of new mechanisms to support the consent model.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: