IAF Consultation Contribution: “Consent and Privacy”

The Information Accountability Foundation

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

We believe the Office of the Privacy Commissioner of Canada has done an excellent job of presenting the current data environment and has asked appropriate questions. However, we believe there are related issues that should be raised and discussed as part of the Canadian process. Those issues include:

  • Privacy law encompasses both assuring individual autonomy and fair processing of data. The two pillars of PIPEDA, consent and accountability, facilitate those two key objectives. However, emerging data ecosystems mean greater reliance on fair processing supported by accountability.
  • Thinking with data and acting with data have different impacts on individuals, and guidance should differentiate the two.
  • Not all data originates in the same manner. Some data is provided directly by individuals; other data is observed. In addition, some data is created as part of analytics. Policy guidance should reflect the nature of data origination and how it is classified.
  • Data increasingly exists in eco-systems with many players, all with obligations to the individuals impacted by data.
  • The use of ethics in assessment processes requires the privacy community to define the key ethics that need to be considered in such assessments.

We addressed a number of the solutions suggested by the consultation paper. First, we agree there are no silver bullets, and a mixture of solutions is necessary. Our other comments included:

  • Transparency should be considered more broadly then just privacy notices and their functionality as it relates to consent. Transparency needs to take into consideration the audience and the purposes for informing.
  • De-identification requires the belt and suspenders of technology and policy enforcement. Furthermore, there are emerging technologies that will provide more granular controls so that policy rules may be enforced with greater assurance.
  • No-go zones are best guided by societal norms established by other legal regimes, such as those established for consumer and patient protection. No-go zones may have unintended consequences when thinking with data.
  • We believe that ethical assessments are a natural augmentation of accountability guidance and, when used in a reasonable and legitimate manor, create something equivalent to the European concept of legitimate interests. Furthermore, ethical assessments may be supported by codes of conduct and certifications on a voluntary basis.

The full submission is available in the following language(s):

English (PDF document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: