Submission to the OPC’s Consultation on Consent under PIPEDA (SiriusXM)

Sirius XM Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Summary

As the OPC’s Discussion Paper notes, the rapid evolution of the Internet of Things (“IoT”) and big data has yielded a “fast-paced, dynamic environment”. PIPEDA is technologically neutral and by its nature is suited to respond to developments such as big data and the IoT. To the extent regulatory developments are warranted, building on PIPEDA’s principles of consent and accountability for new circumstances as they arise is preferable to sweeping changes in guidelines or legislative change with respect to consent.

It is essential that any recommended developments to the consent regime do not impact existing common and well understood uses of personal information and the business models that are dependent on such uses. Building on PIPEDA’s principles has the benefit of allowing a stable regulatory background when it comes to consent for most current and common uses of personal information and protects existing business models from becoming collateral damage of attempts to address technological developments.

Finally, to the extent any regulatory recommendations or changes arise, they should only come from a rigorous consultation and cost-benefit analysis that has demonstrated clear benefits to Canadians. Otherwise, innovation and consumer choice could be threatened by unduly onerous regulation.

Full submission:

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.

Introduction

Sirius XM Canada Inc. (“SiriusXM Canada”) welcomes the opportunity to comment on the Office of the Privacy Commissioner of Canada’s (“OPC”) call for submissions (“Consultation”) regarding its consent discussion paper (“Discussion Paper”).

As the Discussion Paper notes, the rapid evolution of the Internet of Things (“IoT”) and big data has yielded a “fast-paced, dynamic environment”. In such an environment a principles-based privacy and consent framework is the only effective approach. Such an approach affords the law the necessary flexibility to remain relevant and ensures that the law is technologically neutral in the face of unforeseen developments. Rather than a sweeping overhaul to federal privacy laws, technological changes such as big data and the IoT should be addressed, if necessary, only through additional guidance, clarification, and the application of existing principles to emerging circumstances.

Indeed, predicting what innovations big data and the IoT will bring is impossible. A novel and overly prescriptive regulatory framework, particularly one that sets apart certain technologies, may find itself quickly obsolete, may impede innovation, and may miss its stated goals because the technological environment evolved in an unforeseen way. Further, well understood uses of personal information in ordinary commercial scenarios may be collateral damage in trying to remedy more speculative concerns with onerous prohibitions or requirements. This would put existing business models at risk in addition to emerging and future business models.

Caution must thus constrain any impulse to move away from PIPEDA’s principles-based approach to consent. Before setting legislative recommendations or best practices, all stakeholder perspectives and market factors must be considered. Finally, a careful and rigorous cost-benefit analysis must be applied so that any regulatory changes actually benefit Canadians. Without such rigor pointing to a clear benefit for Canadians, it would be unwise to supplant or make less flexible the guiding principles of consent and accountability in Canadian privacy law.

Any changes to the consent regime in response to developing technologies should not burden existing, ordinary, and well understood uses of personal information

The Discussion Paper highlights new technologies and business models, big data, and the IoT as challenges to the existing consent framework in Canada. PIPEDA is already intended to be technologically neutralFootnote 1 and the best approach to addressing technological challenges is to stay true to PIPEDA’s existing principles, including consent. The preferred approach is to fine tune these principles through guidance, case summaries, and findings in order to address developments such as big data and the IoT.

New guidance documents targeted to specific developments represent a more nuanced approach and allow the OPC to target the above developments without disrupting long-standing, well understood, and transparent uses of personal information. An example of such a transparent use is direct marketing: the collection of an individual’s personal information for the purpose of sending them direct messages is a straightforward interaction that is transparent to the individual receiving a marketing message. Transparent uses such as this easily allow the individual to then exercise their rights under PIPEDA, by either modifying or withdrawing their consent to this use.

In such cases the current consent regime is entirely adequate: it is well understood by both individuals and businesses. Any regulatory response to the challenges presented by IoT and big data should not burden more traditional and easily understood uses with undue formalism. The protection of the status quo for uncomplicated, obvious collection, use, and disclosure of personal information preserves the stability of the privacy landscape, an important factor for businesses operating in Canada. To the extent such uses are subject to regulatory change, existing business models—including SiriusXM Canada’s—could be put at risk or be subject to unproductive regulatory burdens.

Reply to certain Consultation questions

Response to Question 2: Market forces and cost benefit

The role of market forces in ensuring privacy and the safekeeping of personal information must be accounted for in any policy review

In competitive markets such as the one in which SiriusXM Canada operates, the responsible use of personal information within the bounds of individual consent and reasonable expectations is essential in building and maintaining customer goodwill. Indeed, it is a prerequisite of a successful consumer business, something the OPC has consistently recognized.Footnote 2 Further, market forces and the need for trust regarding the treatment of personal information, both between companies and individuals and between businesses and other businesses,Footnote 3 has spawned a variety of industry groups and privacy standards that complement privacy laws and regulations and are uniquely adapted to the business realities of that particular industry or sector. These should also be considered when reviewing the current consent regime. To the extent that the OPC is of the view that a sector is subject to different or lessened market forces, those cases should be dealt with separately by the OPC through bespoke guidance in conjunction with the applicable industry regulator, if any.

A rigorous cost-benefit analysis must be applied before undertaking extensive changes to legislation or regulatory principles

The OPC has identified the “economics of personal information” among its strategic priorities for 2015 to 2020.Footnote 4 The priorities were set based partly on a focus group with Canadians. Canadians rightly value their privacy and personal information and the OPC has taken notice of those concerns.

Regulatory prescriptions, however, are not cost free. Before setting out recommendations for changes to best practices or for legislative changes it is important that the OPC engage in a rigorous cost-benefit analysis. That analysis must be driven by input by a diverse set of stakeholders. Otherwise, the compliance burden to business and innovators may rise without a corresponding benefit to Canadians, harming innovation and consumer choice.

Response to Question 3: Collaboration among industry stakeholders and between industry and government is essential in the developing policy and frameworks

The OPC’s 2015-2020 strategic priorities also included input from stakeholders from industry, academic and consumer groups, and government. Collaborative processes have yielded effective frameworks that both protect consumers and provide the flexibility for innovation. Privacy is a shared responsibility between industry to whom individuals entrust their personal information and government. Many industry associations have already developed frameworks and approaches to the issues raised by the Discussion Paper and those should be considered in the OPC’s review of consent.

Response to Question 4: Legislative changes to principles based-consent is unnecessary and should not be directed to any specific technology

PIPEDA is, and remains, a flexible, technology-neutral tool that effectively protects the personal information of Canadians while allowing businesses to innovate, to respond to competitive pressure and market disruption by developing new business models, and ultimately to remain nimble in response to global economic drivers. Wholesale legislative change is time-consuming, expensive and will likely create uncertainty. The same policy ends can be met by the OPC developing guidance specifically addressing the issues raised by new technologies. The goal is not to scrap the existing regulatory framework, but rather to enhance it with more tailored guidance from the OPC.

Conclusion

In summary, PIPEDA is already technologically neutral. By its nature it is suited to respond to developments such as big data and the IoT. To the extent regulatory developments are warranted, building on PIPEDA’s principles of consent and accountability for new circumstances as they arise is preferable to sweeping changes in guidelines or legislative change with respect to consent.

Second, it is essential that any recommended developments to the consent regime do not impact existing common and well understood uses of personal information and the business models that are dependent on such uses. Building on PIPEDA’s principles has the benefit of allowing a stable regulatory background when it comes to consent for most current and common uses of personal information and protects existing business models from becoming collateral damage of attempts to address technological developments.

Finally, to the extent any regulatory changes arise, they should only come from a rigorous consultation and cost-benefit analysis that has demonstrated clear benefits to Canadians. Otherwise, innovation and consumer choice could be threatened by unduly onerous regulations.
Date modified: