Submission to the OPC’s Consultation on Consent under PIPEDA (ESAC)

Entertainment Software Association of Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

In summary, ESAC members:

  • Do not support legislative amendments to PIPEDA at this time;
  • Believe that consent is still the most appropriate framework to protect individuals, and is in line with current international practice;
  • Support recommendations for a deeper and more explicit recognition in policy and legislation of implicit consent and of data analytics as a reasonable business use;
  • Encourage the OPC to develop voluntary best practices and guidance, developed in collaboration with industry, to help companies incorporate Privacy by Design practices into their businesses and industries;
  • Encourages industry sectors to adopt the practice of creating and integrating user friendly privacy settings and device controls, as appropriate and in cases where no such measures have been taken;
  • Supports the adoption and on-going best practice of refining and clarifying all privacy policies, whether corporate, government or otherwise;
  • Do not support the creation of regulated “No-Go Zones” or any other limitation that threatens to stifle innovation or individual access to products and services. 
  • Support the OPCs encouragement for companies to engage in voluntary de-identification agreements as described in the Paper and do not believe any additional restraints on companies’ abilities to process and store de-identified data sets are necessary or warranted at this time;
  • Believe that rather than develop a OPC or Canadian trust mark, it is more effective if the OPC works with industry sectors to create or adopt trust mark programs where standard trust mark in use, and these should work similarly to TrustE’s APEC and/or Privacy Shield certification programs which include industry benefits for adoption;
  • Support the OPC suggestion to work with industry to develop voluntary codes of conduct to help organizations demonstrate compliance;
  • Support Government co-ordination and collaborations to achieve international privacy norms that guide legislation across jurisdictions;
  • Do not believe the OPC should have any new and additional enforcement powers or oversight responsibilities, not least because the new powers granted under the DPA have not yet come into force and measured for their effectiveness;
  • Encourage companies and industries to be transparent about how personal information is used and to create privacy controls that users can manage on their own; and,
  • Strongly encourage the OPC to enhance its consumer education initiatives to provide Canadians with an objective toolkit, including objective, clear and easy to understand guidance on how to assess and manage individual privacy concerns.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

To Whom It May Concern:

Thank you for providing stakeholders with the opportunity to consult and collaborate with the Office of the Privacy Commissioner of Canada (OPC) regarding the consent regime established under the Personal Information Protection and Electronic Documents Act (PIPEDA) and potential opportunities to modernize Canada’s privacy framework.

The Entertainment Software Association of Canada (ESAC) represents leading video game companies in Canada, from multi-national publishers and console makers, to local distributors and independent studios. Our industry in Canada employs more than 20,000 people in full-time positions, and contributes over $3 Billion to Canada’s GDP. Canadian video game publishers and developers are responsible for some of the world’s most successful video game titles and franchises, including Assassins Creed, Deus Ex, Mass Effect, FIFA and NHL. To put this into context, the video game industry is the fastest growing entertainment industry globally and Canada is recognized as leader in this space, with 90% of its revenues generated from non-domestic sales. As a matter of practice, as an export focused industry, our members are required to comply with the privacy laws of many international jurisdictions. Our industry takes these obligations seriously and takes rigorous steps to ensure that all personal information is protected and treated in a manner that complies with the current laws in each jurisdiction. To put it simply, privacy protections are a priority for our member companies.

ESAC members appreciate the opportunity to reply to the OPC’s Discussion Paper entitled “Consent and Privacy under the Personal Information Protection and Electronic Documents Act” (the Paper) and will do so by providing general feedback as well as specific replies to key questions raised in the paper.

Commentary & Reply

ESAC has historically participated in discussions regarding privacy law in Canada, including those which took place recently regarding the Digital Privacy Act (DPA). ESAC has been supportive of the changes made by the DPA, which included revisions to the definition of “consent” and the introduction on new powers for the Privacy Commissioner of Canada, and we are now working to ensure that accompanying Regulations preserve the balanced approach taken in Canadian privacy legislation. In light of these recent changes, many of which have yet to come into force, ESAC takes the general position that it is too soon to tell if the amendments have had any impact and effect that would justify re-opening the legislation at this time.

When the OPC says that “there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent”, we understand that the paper refers to failings stemming from a belief that:

  • Individuals no longer have adequate control of their personal information, at least in part, because they do not understand or have visibility into the deep and wide network of service providers supporting businesses today; and,
  • As a result, while consent can be given by an individual to a company, it is less valid or less “meaningful” when individuals are not presumably aware of all of the potential third parties that could access their information in some form, whether de-identified, aggregated, or otherwise; and,
  • For consent to be “meaningful”, individuals must appreciate all of the possibilities before they give their consent to a company to use their personal information.

With this understanding, ESAC sets out feedback below, which we hope will assist the OPC as they continue their work to enhance Canada’s privacy landscape. 

1. What legislative changes are required?

The balanced approach taken to develop Canada’s privacy regime has resulted in legislation and industry practice that is respected around the world. To date, a clear balance has been struck between individual privacy rights and the legitimate needs of businesses to collect, use and disclose personal information for reasonable purposes. Preserving a balanced privacy framework that not only addresses consumer needs but also reflects the evolving and increasingly virtual nature of global business, without stifling innovation or creating unreasonably onerous and restrictive legislative obstacles to overcome, should continue to be a guiding principle that underpins any future amendments to Canadian privacy legislation.

To underscore the importance of preserving balanced privacy legislation in Canada, it is helpful to consider that innovation in the video game industry does not occur in isolation or without consumer participation and feedback. In fact, unlike many other industries, our players and consumers expect, and consent, to share their data in exchange for the opportunity to participate in the evolution of their favourite games, to test new innovation and use their gameplay to provide feedback to game companies who in turn use it to enhance the player experience. The value and importance placed on the views of our consumers and players is immense and given priority consideration by video game developers. The data collected by our industry is considered to be commercially sensitive, and treated with the utmost care so as not to compromise the personal privacy of our consumers and protect the competitive sensitivities of our companies.

While we applaud the OPC for being proactive in its considerations surrounding consent, we caution against the temptation to engage in reactionary or speculative policy making to address advances in innovation and business practices. Technology is rapidly changing and it is important for Governments to understand, and play a role in, the evolving business ecosystem. However, it is also important to ensure that Government policies do not stifle the evolution of innovative sectors or have unintended consequences on industry.

The Paper seeks reply and comment on four main questions, and includes several thought provoking questions for broader consideration. Great detail is also provided to support possible solutions to address shortcomings regarding consent provisions in legislation generally. However, we note that the concerns being addressed by the proposed solutions were not clearly responsive to material case studies or a quantified number of instances where the actual shortcomings of the consent provisions in PIPEDA had obviously failed individuals, so much so, as to justify that the consent model could be considered wholly ineffective or “broken” and therefore in need of a replacement.

The solutions and discussion provided in the Paper are further presented through a lens that seemingly ignores or underestimates the comfort level many Canadians have with respect to sharing their personal information as part of the exchange to receive access to certain goods and services. While there is certainly room to improve the privacy practices of industry, there should also be room to acknowledge that individuals may not prioritize the privacy of their personal information, not because they are easily duped, but because they are informed enough and comfortable with the exchange of their data for access to services or products they want to use, and possibly enhance as a result of the exchange.

At present, ESAC members believe that consent is still the most appropriate framework to protect individuals, and is in line with current international practice. Moreover, we take the position that implicit consent is a valid form of consent that should be more broadly recognized in light of consumer realities. While there are many consumers who care about the uses of their personal information by companies, there is also a large number of consumers who are consciously indifferent or comfortable giving consent so that they can access the products and services they want, in a manner that is quick, efficient and seamless, with as few disruptions as possible.

ESAC not only takes the position that the consent regime should remain a core feature of Canadian privacy law, but also that implicit consent, a valid form of consent, should be more broadly recognized in light of consumer realities. PIPEDA’s existing exceptions to consent and the principle of implied consent already support an interpretation that allows for processing of personal information for legitimate business purposes. ESAC would support recommendations for a deeper and more explicit codification of implicit consent and recognition given to data analytics as a reasonable business use.

In practice, our members ensure that their privacy policies are clear, detailed and constantly improved. However, they are also cognizant of player preferences and the consumer demand to create the best player experience possible. As such, it is our view that done responsibly, the analysis of personal information by business can be highly beneficial to both companies and consumers, and should not be treated or viewed at the outset as problematic or a threat to individuals.

With respect to legislative amendments, ESAC takes the position that an entire re-prioritization of the consent regime is premature at this time and without substantial and material evidence to warrant such a drastic legislative shift. Further, we also believe that the current legislative provisions in PIPEDA provide the appropriate protections and balanced framework required to address the concerns raised in the Paper surrounding new technologies. Finally, should any legislative review be considered further, we believe that it is important for discussions surrounding amendments to occur within the broader context of the full legislative framework, and not be done in a piecemeal or isolated manner. Moreover, whether in the context of legislative amendment or otherwise, we encourage government officials to maintain a non-prescriptive, principles based approach to their policy work and legislative activities that preserves balance and neutrality to allow Canada’s privacy framework to evolve over time.

2. Which solutions have the most merit and why?

Our member companies study the data they collect for internal review of the quality of play, player enjoyment and engagement and then work to constantly improve their products and services to ensure consumer needs and player expectations are met. Player experience is, for all of our Members, paramount. This experience is intended to be safe, fun and engaging.

With this in mind, our Members prioritize privacy compliance and implement Privacy by Design (PbD) principles into their organizations. Throughout the development process, privacy considerations are accounted for, incorporated and verified by the business and legal teams responsible for the projects to ensure that players have a safe game play experience. ESAC members would encourage the OPC to develop voluntary best practices and guidance, developed in collaboration with industry, to help companies incorporate Privacy by Design practices into their businesses and industries.

Furthermore, ESAC and its members work hard to ensure that parental and player education tools are available to address and support privacy protections and online gameplay. Parental controls are integrated into every major video game console platforms, and instructional videos, guidance and support is made available to consumers should they need assistance in changing the settings and controls. ESAC encourages industry sectors to adopt the practice of creating and integrating user friendly privacy settings and controls, as appropriate, in cases where no such measures have been taken.

Finally, our member organizations are always working to improve their privacy policies and to make them increasingly clear and transparent for their consumers. As the business environment continues to evolve, so too will the privacy policies of each company. ESAC supports the adoption and on-going best practice of refining and clarifying all privacy policies, whether corporate, government or otherwise.

ESAC members do not support the creation of regulated “No-Go Zones” or any other limitation that threatens to stifle innovation or individual access to products and services. There are a number of scenarios and reasons for potential data processing activities that are currently unknown or foreseeable. As such, putting blanket restrictions on industry’s use of data will certainly stifle innovation and deprive Canadian citizens of the ability to make meaningful decisions about how they want to use their data. We believe strongly that people should retain the right to choose how and under what circumstances to share their data and the introduction of restrictive regulation and “No-Go Zones” undermines this individual choice as well as threatens to stifle innovation. ESAC would be willing to engage the OPC in a further discussion on best practices that industry could adopt voluntarily to address some of the concerns raised in this section of the Paper.

Finally, our members view de-identification as a very useful tool to ease privacy impact while preserving the analytical value of data sets. The risk of re-identification when safeguarded within a company with policies in place not to re-identify is typically very low. Contractual protections amongst parties to safeguard shared de-identified data are common practice in our industry. ESAC supports the OPCs encouragement for companies to engage in voluntary agreements of this nature, and we do not believe any additional restraints on companies’ abilities to process and store de-identified data sets are necessary or warranted at this time.

3. What other solutions would be helpful in addressing consent and why?

The entertainment software industry provides consumers with additional guidance regarding which games are appropriate for which age groups through the wide-spread use of video game ratings, managed and overseen by the Entertainment Software Rating Board (ESRB) in North America, and other ratings boards around the world. The ESRB has gone a step further and developed a voluntary privacy trust mark program which specifically addresses privacy concerns for parents and consumers generally. The ESRB Privacy Certified program invites video game companies to submit their video games for assessment, and once deemed compliant with privacy legislation and best practices, they can opt to receive the Privacy Certified trust mark.

In our experience, privacy trust marks serve as valuable consumer awareness tools. They are also considered most valuable to industry when they are voluntary and when they provide meaningful value (e.g. safe harbor) and incentivize companies to take the time to undertake the certification process. Further, we believe that these programs are best administered by industry in a self-regulated manner. However, this does not preclude participation from government officials in the process of establishing these programs and assisting with ensuring that the accompanying requirements are in compliance with domestic legislation. While the OPC could develop a Canadian Privacy Trust Mark, we believe that it is more effective if the OPC works with industry sectors to encourage the creation, and subsequent adoption, of these programs across sectors that still have no standard trust mark in use. In the case that a trust mark or seal program were to be developed by the OPC, it should work similarly to TrustE’s APEC and/or Privacy Shield certification programs.

ESAC is also supportive of the OPC suggestion to work with industry to develop voluntary codes of conduct to help organizations demonstrate compliance. Any initiatives should be voluntary and industry-led. The OPC aim to use these codes to promote particular behaviours or actions, rather than mandating practices for particular industries, while exploring harmonization with international certifications or standards to limit unnecessary duplication.

ESAC is also aware of proposals supporting Government co-ordination and collaborations to achieve international privacy norms that guide legislation across jurisdictions. ESAC supports this proposal in so far as Canada’s approach is aligning with international norms, and is not more restrictive or prescriptive than other jurisdictions. Canada should work with industry and through organization like the Organization for Economic Cooperation and Development (OECD) to develop international, “interoperable” approaches to privacy and consent. In doing so, companies that are export focussed or that operate in a global marketplace will be better able to adapt and enhance privacy practices, rather than constantly re-adjusting to jurisdiction specific requirements, which can be costly and time-consuming.

4. What roles, responsibilities and authorities should the OPC have to ensure Canada’s privacy framework is effective?

At this time, we do not believe the OPC should have any new and additional enforcement powers or oversight responsibilities, not least because the new powers granted under the DPA have not yet come into force and measured for their effectiveness.

Concerns regarding the impact of individual awareness or knowledge of how personal information is being used by companies can be addressed in a number of ways, however, the most obvious and least cumbersome is through consumer education tools and materials. As mentioned, ESAC and its Members provide an array of support tools to help consumers understand how to manage their privacy preferences. However, there are other industries that are less prepared or have not yet created these controls. In these cases, we would encourage companies and industries to be transparent about how personal information is used and to create privacy controls that users can manage on their own. ESAC Members are also supportive of the suggestion to encourage industry to enter into voluntary contracts to formalize an agreement with third-parties to not re-identify de-identified data.

However, as a solution to address the current concerns, we would strongly encourage the OPC to enhance its consumer education initiatives to provide Canadians with an objective toolkit and clear and easy to understand guidance on how to manage their own privacy concerns and what they should be looking out for. The OPC’s Federal mandate places it in the best position to educate Canadians—both consumers and companies—on how to objectively interpret privacy legislation, understand the connected business ecosystem and help consumers develop their own personal preferences regarding privacy.

Once again, thank you for this opportunity to provide feedback. We look forward to continuing our work with the Government of Canada, and specifically the Office of the Privacy Commissioner of Canada.

Sincerely,

Tanya Woods, BA, LLB, LLM, LLM
Vice-President, Policy and Legal Affairs
The Entertainment Software Association of Canada

Date modified: