Results of consent consultation highlighted in Commissioner’s 2016-17 Annual Report
OTTAWA, September 21, 2017 – Canadians (92%) are concerned about their privacy. They fear new technologies and business models have eroded their ability to control how their personal information is collected, used and disclosed by companies.
Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) generally requires that organizations obtain consent to collect, use and disclose personal information. Consent is the chief mechanism by which people can express their autonomy and exercise control over their personal information.
But achieving meaningful consent in the digital age has become increasing difficult as it has become far less obvious who is processing our information and for what purposes. After consulting consumers, industry and expert stakeholders, we have come to the view that consent remains central to personal autonomy, but in order to protect privacy more effectively, it needs to be supported by other mechanisms, including independent regulators such as the OPC that inform citizens, guide industry, hold it accountable and sanction inappropriate conduct.
Our actions and recommendations fall into three main categories: (1) making consent more meaningful, (2) providing alternatives to consent and (3) governance (corporate accountability and enforcement). While some solutions demand legislative change, others do not and we will act immediately where we can to improve privacy protections for Canadians. The following is a summary of our actions, as well as our recommendations. See the full report for additional details.
1. MAKING CONSENT MORE MEANINGFUL
While under challenge, consent should continue to play a prominent role in privacy protection. The following solutions seek to strengthen consent and make it more meaningful.
The OPC will update guidance on online consent that will specify four key elements that must be highlighted in privacy notices and explained in a user friendly way. Those elements are:
- What personal information is being collected?
- Who it is being shared with?
- For what purpose is information being collected, used or shared? (Including an explanation of purposes that are not integral to the service.)
- What is the risk of harm to the individual, if any?
Forms of consent: implied vs express
The courts have held that: (1) informed consent generally requires express consent; (2) organizations must consider the sensitivity of personal information and the reasonable expectations of the individual in determining whether implied consent is sufficient or whether express (opt-in) consent is necessary in a given context. Stakeholders said the requirement for express consent should be made more explicit in certain situations.
Updated guidance on online consent will clarify that express consent is generally required where there is a risk of harm, where sensitive personal information is involved or when information is to be used for practices that are not core or integral to the service offered. The OPC will also seek, in the future, to explain what the “reasonable expectations of individuals” would be in different contexts, including for the purposes of informing the form of consent.
Parliament should consider making risk of harm explicit in PIPEDA, for instance for the purpose of informing the form of consent.
Children and youth
Children and youth are avid users of technology and are increasingly online at very young ages. Their capacity to provide meaningful consent is dependent on their cognitive and social development. We are in an age of complex data flows that even adults can struggle to understand.
Our online consent guidance will also address issues related specifically to children and youth. Our position in all but exceptional cases is that consent for the collection, use and disclosure of personal information of children under 13 must be obtained from parents or guardians. For youth aged 13-18, consent can only be considered meaningful if organizations have adapted their consent processes to take into account the level of maturity of their users.
Encouraging consent technologies
New technologies pose challenges to meaningful consent, but they may also present opportunities. There is no shortage of technologies or good ideas for facilitating the consent process. There does, however, seem to be a lack of deployment and adoption among businesses. Some businesses are even complicit in the use of technologies that circumvent people’s privacy choices. It is incumbent on industry innovators to develop and adopt privacy enhancing technologies and to help customers make the privacy choices that are right for them.
The OPC will inform individuals of available technological tools designed to implement consumers’ consent choices, and will pursue reports that individuals’ privacy choices have been obstructed. The OPC will fund research and knowledge translation activities to promote the development and adoption of new consent technologies.
The government is encouraged to fund emerging technologies on the condition that they build in privacy protections in order to help create incentives for their adoption.
No-go zones even with consent
The current law recognizes there are certain circumstances in which organizations should be prohibited from using of personal information, regardless of whether individuals have consented. But the law is worded broadly and is subject to interpretation.
We will draft and consult on new guidance that will explicitly describe some instances where collection, use or disclosure of personal information is prohibited. Examples include: situations that are known or likely to cause significant harm to an individual, profiling individuals in a way that leads to unfair, unethical or discriminatory treatment, or publishing personal information with the intended purpose of charging individuals to pay for its removal.
Guidance for individuals and organizations
There is a desire and need for the OPC to produce more guidance for individuals and organizations. Individuals need more information to better understand privacy risks and how to mitigate them, while businesses want more information about their privacy obligations and responsibilities under the law.
The OPC will produce more information, advice and guidance for both individuals and organizations on a wide range of topics. (A list of 30 topics is included in the full consent report.)
We will also encourage industry to develop codes of practice, starting with one on the connected car and another on legal applications.
To ensure the next generation of Canadians is well informed of their privacy rights, the OPC is, in collaboration with counterparts across Canada, urging provincial and territorial governments to integrate privacy education in school curricula.
2. ALTERNATIVES TO CONSENT
The majority of solutions are focused on protecting consumers; however, there is also a need to encourage innovation, and to recognize that personal information is an important part of a data-driven economy. In the 21st Century, there may be exceptional circumstances where consent may simply not work. The following solutions seek to address those situations.
There remains debate on the merits and risks of de-identification – a process that removes the association between the identifying data and the individual. The OPC remains guardedly optimistic that de-identification can be a viable solution provided it is managed appropriately.
The OPC will issue guidance proposing appropriate methods of de-identification. We will set out factors to be considered in evaluating when the risk of re-identification is sufficiently low as to authorize the use of information without consent.
We encourage Parliament to examine the concept of pseudonymized information, which may be exempt from consent requirements but still subject to all other PIPEDA protections.
Publicly available information
Industry stakeholders interested in relaxing consent requirements suggest changes to PIPEDA’s regulation specifying on publicly available information are warranted to better reflect today’s environment where personal information can be readily accessed in “open spaces” such as the Internet. That being said, it is a common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it. Deciding how to protect this privacy interest is extremely complex, and involves consideration of individual and societal rights.
The OPC recommends Parliament consider how best to modernize the rules on publicly available information, taking into account the need to balance potentially competing constitutional rights.
New consent exceptions where consent may be impracticable
Even with allowances for publicly available information and de-identification, there are instances where consent remains difficult, if not impracticable. A good example is in the big data context where massive volumes of information are being continuously collected and new uses for the information are being identified after collection. Artificial intelligence depends on these data processing methods. In Europe, these uses are authorized under a "legitimate interest" rule. The OPC believes a legitimate interest exception would be too broad, but more specific and targeted exceptions could be considered.
The OPC recommends Parliament examine the possibility of introducing new exceptions to consent to address activities where consent may be impracticable, and where the societal benefits clearly outweigh the privacy incursions, subject to strict conditions and stronger enforcement.
The following solutions focus on the governance mechanisms used to ensure companies operationalize and respect their privacy obligations under PIPEDA.
Accountability is a fundamental principle under PIPEDA that requires organizations to take their privacy obligations seriously, for example, by developing and implementing personal information policies, practices and procedures that give effect to the law. Throughout our consultations, we often heard that accountability needs to take a larger place in privacy protection, in a period where data flows and business models are becoming more complex, thus creating challenges for the consent model.
While we believe consent continues to have an important role, we agree that the weight given to accountability should increase. Accordingly, organizations should be able to demonstrate accountability on demand as a means to ensure that privacy rights are respected. We will seek to enforce this principle proactively, for instance through Commissioner initiated complaints. We will continue to enforce Privacy by Design – the notion that privacy protections be built into the very design of a product or service at the earliest phase of conception – through our guidelines on accountability and PIPEDA's accountability principle. We will also adapt our accountability framework to ensure it is more scalable to the needs of small-and medium-sized businesses, so that they are better equipped to meet these obligations.
We encourage Parliament to amend PIPEDA to include a legislated requirement for demonstrable accountability, along with the power of the OPC to conduct compliance reviews on demand, without grounds to believe a violation of law has occurred, as is common in other regulatory regimes.
Canadians are very concerned about their privacy and do not feel protected by a law that has no teeth and businesses that are held to no more than non-binding recommendations. The OPC needs enforcement powers comparable to those in other jurisdictions, commensurate with the increasing risks that new disruptive technologies pose for privacy It is also time to shift toward more proactive enforcement, recognizing that the current complaint-driven, ombudsman system does not give a complete picture of where privacy deficiencies lie. In the age of big data and the Internet of Things, it is difficult to understand what is happening to one’s personal information, and people are unlikely to file a complaint about something they don’t know is happening.
The OPC will make more frequent and strategic use of its power to conduct Commissioner-initiated investigations that focus on chronic or sector-specific problems, or other privacy issues related to opaque business models and uses of personal information.
Parliament should amend PIPEDA to give the Privacy Commissioner order-making powers and the ability to impose administrative monetary penalties.
The Commissioner should also have a choice in whether to investigate individual complaints or not. This would allow the OPC to focus limited resources on issues that pose the highest risk, or may have greatest impact, for Canadians. To address complaints that are not heard by the OPC, we recommend amending the law to allow individuals a private right of action for PIPEDA violations.
- Date modified: