Finding a 21st Century solution to today’s consent conundrum

Address given at the IAPP Canada Privacy Symposium 2016

Toronto, Ontario
May 11, 2016

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

A widely cited study dating back to 2008 suggests Internet users would need to spend 244 hours per year—that’s nearly 33 work days—to read (much less understand) the privacy policies of the websites they visited.

Fast-forward eight years. Add mobile applications, smart devices and wearables to the mix. It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime.

The situation serves to highlight one of the many challenges new technologies have brought to bear on the current consent model.

The fact is, the Personal Information Protection and Electronic Documents Act (PIPEDA) predates smart phones, cloud computing and business models predicated on unlimited access to personal information and automated processes that use complex algorithms to extrapolate new information from very large data sets.

Gone are the days of routine, predictable, and transparent one-on-one interactions with companies. It is no longer entirely clear who is processing our data and for what purposes.

While some would argue privacy policies have become more about shielding organizations from legal liability, their intent is also to arm individuals with the information they need to decide whether to give or withhold consent.

Is it fair then to saddle consumers with the responsibility of having to make sense of these complex data flows in order to make an informed choice about whether or not to provide consent?

Suffice it to say that technology and business models have changed so significantly since PIPEDA was drafted that many now describe the consent model as not up to the task.

We heard this time and time again last year during our consultations on our strategic privacy priorities. When I spoke at this conference a year ago, I indicated that the economics of personal information would be a key focus for my Office over the next five years and that under this priority, we would examine the current consent model with a view to improving it.

I am pleased today to announce the launch of a discussion paper examining potential changes to the consent model.

We want to start a conversation across the country and will be consulting widely with yourselves and others on how to address this issue.

In my remarks, I will touch on some of the proposed solutions, but more importantly, I would like to focus on the roles and responsibilities of the various players in this world in which privacy often seems elusive. It will be important to clarify the expectations of individuals, organizations, regulators and legislators. I will conclude with a few thoughts on Privacy Act reform.

It is unlikely that any one solution could serve as the proverbial “silver bullet” but we believe a combination of solutions could help individuals achieve greater privacy protection, which is our ultimate goal.

This is a conversation I am very much looking forward to having in the weeks and months ahead as we strive to come up with a consent model that better meets of the needs of Canadians in the digital age.

The role of individuals, organizations, regulators and legislators

When it comes to consent, individuals play an important role as privacy is linked to individual autonomy. But, is it fair to assume average Canadians will be able to demystify the complex business relationships and algorithms—what’s essentially under the hood in terms of the processing of personal information?

Is the solution to provide individuals with better information on these complexities so that they may make informed choices? Or must we find other ways to protect their interests, leaving them to decide matters for which they can reasonably and practically indicate their preferences?

Organizations, on the other hand, have a legitimate interest in processing information for business purposes. They must, however, be held accountable in a very meaningful way. What incentives should exist for organizations to implement greater transparency and privacy preference mechanisms to enhance individuals’ ability to provide consent? To what extent can businesses be expected to self-regulate in a manner that protects individual privacy in the digital age?

While organizations have a role in ensuring the protection of their customers, they are not impartial and will ultimately act in their own interest. Consumer trust and effective privacy protection demands the intervention of independent and impartial actors that are capable of holding organizations to account and protecting the interests of individuals. Courts have a role to play here but in most countries, including Canada, this role largely belongs to regulators such as my Office.

To this end, what are the necessary attributes and authorities of an effective regulator? How best can data protection authorities ensure that the interests of individuals are protected and that organizations are held accountable for their actions?

Currently my Office plays a more reactive role. We generally investigate complaints after a violation has occurred. Would it be reasonable to give my Office the authority to oversee compliance with privacy legislation more proactively, before problems arise? In most countries, regulators have the authority to issue binding orders and to impose financial sanctions against organizations. Why not Canada?

While many proposed solutions may be implemented within the current legal framework, others may require legislative change. Is it time to call upon Parliament to expand the powers of the Office of the Privacy Commissioner of Canada? Should Privacy by Design become a legislated requirement as it will soon be in Europe? Should PIPEDA be amended to provide for no-go zones or, conversely, for new legal grounds for processing where consent may not be practicable?

These are the sorts of questions we are hoping to answer during our consultation process.

Solutions that enhance consent

One school of thought suggests the existing consent model may be enhanced through mechanisms that improve the ability of individuals to exercise meaningful consent.

Proposed solutions involve providing consumers with better information, giving them the ability to manage preferences across different services and ensuring privacy is no longer an afterthought, but is rather “baked” or designed into products and services.

Privacy policies should be comprehensive but clear, and organizations should endeavour to provide additional, just-in-time privacy notifications at key points in the user experience when information is being collected. Layered policies, at-a-glance privacy icons, interactive maps, infographics and short videos are some creative ways organizations can make critical privacy information more accessible to consumers.

With respect to the Internet of Things, the U.S. Federal Trade Commission has proposed a number of promising solutions to improve the effectiveness of privacy messaging in the IoT environment. These include QR codes that lead consumers to more in-depth information, set-up wizards to help users select privacy settings and privacy dashboards.

The ability to manage privacy preferences across different services means individuals would no longer have to inform themselves of an organization’s privacy practices and decide whether to provide consent each time they use a new digital service. This could also help account for consent when new uses of previously collected data are proposed.

It basically works like this: Individuals would select a standard set of privacy preference profiles offered by a third-party website, which would then vet apps and services based on the selected privacy profile.

Alternatives to the consent model

Another school of thought contends information flows have become too complex for the average person and have called for a relaxing of requirements for consent. Advocates for this approach focus on accountability and ethical uses of personal information—placing the responsibility for oversight on regulators.

Alternatives to the consent model raise questions about whether certain types of data uses may be permissible without consent, so long as the right privacy framework is in place. Such models, however, beg the question: Do we have the right oversight structure to provide public assurance that their information is being used for appropriate purposes and that it is being adequately protected?

Europe has a law that allows data processing without consent so long as it is done for legitimate business purposes and does not intrude on the rights of the individual. To proceed, organizations must conduct a balancing test to weigh the interests of the organization against those of the individual.

A solution for Canada might be to broaden the permissible grounds for processing under PIPEDA to include legitimate business interests, subject to a balancing test.

Or, we might consider defining legitimate interests up front, which would assure individuals that some uses of their personal information have been independently recognized as legitimate.

We might also consider legislating no-go zones which prohibit the collection, use or disclosure of personal information in certain circumstances. No-go zones could be based on a variety of criteria, such as the sensitivity of the data, the nature of the proposed use or disclosure or vulnerabilities associated with the group whose data is being processed. 

In our policy position on Online Behavioural Advertising, for instance, we’ve identified a few no-go zones including the tracking of children and the use of tracking methods users can’t control.

Governance solutions: What should be the role of organizations?

Under PIPEDA, organizations are already accountable for meeting their legal obligations to protect their customers' personal information, but certain governance solutions could further strengthen accountability mechanisms.

Codes of practice and privacy trustmarks, for example, can provide an added measure of predictability and consistency for companies in understanding their obligations around meaningful consent and appropriate limits on data processing. They may also offer greater clarity for individuals that their information is being processed in a transparent and fair manner that is in line with their expectations.

These codes of practice and privacy trustmarks may be voluntary best practices promoted by industry or developed by regulators to serve as an enforcement tool.

Under PIPEDA, my office has a mandate to encourage organizations to adopt instruments such as policies and codes of practice that are in line with legislative requirements. Up to now, however, this is not a provision we have fully explored.

Some commentators suggest that in the age of big data, where future uses of personal information are difficult to predict at the time it is collected, organizations should be able to determine for themselves, based on the advice of boards of ethics and accountability principles, how data may be used without the consent of individuals. Should the private sector be allowed to self-regulate in that manner? Should legislation be amended to authorize any use found appropriate by an ethics board, or should limits be outlined in law? In cases where organizations have the ability to decide whether data uses are fair and ethical, what role should the regulator play?

Enforcement models and the role of the regulator

Accountability-based solutions rely on organizations to develop and implement measures that respect their privacy obligations, including their obligation to obtain meaningful consent.

While there are positive aspects to the ethical framework proposals discussed earlier, the process is internal to the organization which inevitably places its interests ahead of others. Independent oversight bodies are needed to ensure balance between the privacy rights of individuals and the legitimate need of organizations to collect, use and disclose personal information.

Where consent is impracticable and organizations have a greater role in deciding appropriate uses for personal information, the need for regulatory bodies becomes even more compelling.

So what attributes and authorities should a regulator have in order to be truly effective in protecting the privacy rights of individuals?

Order-making powers and fines are some examples of enforcement measures that could influence organizations’ practices and strengthen privacy protections for individuals in a world where the traditional gateway of informed consent is under significant stress.

The ability to levy fines currently exists in the data protection laws of some European Countries as well as in the European Union’s new General Data Protection Regulation, while EU and US regulators have order-making powers. My Office, on the other hand, can only make non-binding recommendations and has no power to order a company to comply or to levy fines.

It is also worth noting that our current enforcement regime operates on a complaint-based model:  A privacy incident occurs, somebody complains to my Office and we determine whether there are grounds to investigate.

A proactive enforcement model would involve intervening at an earlier stage to ensure an organization is complying with measures such as no-go zones or legitimate business interest provisions. This could be done, for example, through spot checks, or compliance reviews.

These potential solutions raise an important question for my Office. As the federal regulator, should we be given additional powers to oversee compliance and enforce new or enhanced consent rules?  Certainly this would bring us more in line with our counterparts in provinces with private sector privacy legislation that is substantially similar to PIPEDA, as well as regulators in the EU and U.S., which have order making powers. Of course regulators are but one part of the puzzle. As I’ve said before, individuals, organizations and legislators also have a role to play.

In any case, these are the questions I hope to answer during this important consultation process.

Privacy Act Reform

My comments so far have largely centred on the private sector, but I would like to touch on one important issue with respect to the public sector.

As you may know, I recently testified and submitted recommendations on Privacy Act reform to a Parliamentary committee. I am hopeful this issue will be a priority for the government as the basic protections and rights guaranteed by the legislation have not been updated since 1983.

I need not reiterate just how much technology and the increasing demands to share information for a host of reasons, not the least of which include national security, have transformed the privacy landscape over the last three decades.

It goes without saying that the law governing how federal institutions collect, use, disclose and protect personal information is technologically, legislatively and from a transparency and expectations perspective, antiquated and in dire need of modernization.

To that end, I have made a number of recommendations to Parliament. For example, it is important to reduce the over-collection of data by creating an explicit requirement in law that institutions only collect information that is necessary for the operation of a program or activity. We also want institutions to consult with my Office on draft legislation that may impact privacy.

It is also critical that all information-sharing between departments and agencies be governed by written agreements that should be submitted to my Office for review.

We are also calling on Parliament to finally enshrine in statute a number of provisions that are not currently afforded the weight of the law. For instance, it should be a legal requirement that institutions employ appropriate safeguards to protect personal information. Government institutions ought to be bound by law to notify my Office of serious privacy breaches.  Privacy Impact Assessments for new or substantially redesigned programs and services should be a legal imperative.

We are further calling for an explicit public education and research mandate; the flexibility to publicly report on government privacy issues that are in the public interest in a more timely fashion, not just through annual or special reports to Parliament; and the extension of the Act to Ministers’ offices and the PMO.

Without renewal, the protections of the Privacy Act are proving to be increasingly out of touch with Canadians in terms of how they engage with the digital world.

Conclusion

The fast-paced evolution of the digital economy due to constant technological innovation has fundamentally changed the privacy landscape.  

We are at a critical point in which action is needed on a few fronts.

Privacy Act reform is long overdue. Canadians have little choice in providing their personal information to government so it is of critical importance that such information be protected to the highest standards. 

And the time has also come to seriously think about the practicability of the current consent model under PIPEDA and how it might be better supported or enhanced.

I would encourage you all to read our discussion paper on the consent model and to provide your feedback. As privacy professionals, your input is instrumental as we pursue real solutions to this consent conundrum.

Beyond that, I would ask that you share this discussion paper with your colleagues and friends. It is critical that we hear not just from privacy experts, but also from advocacy groups, academics, educators, IT specialists and everyday Canadians.

I do not believe innovation must come at the expense of privacy. The two can coexist. Let’s work together to find a balanced solution that will ultimately strengthen the control Canadians have over their personal information.

I’d be happy to take some questions.

Date modified: