The Consent Dilemma

Remarks at the Privacy Laws and Business International Conference

July 5, 2016
Cambridge, United Kingdom.

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Like many jurisdictions around the world, Canada is in the midst of trying to assess and address the unprecedented impact of technological innovation and new business models on privacy.

Central to this discussion is the issue of consent. How can individuals exercise greater control over their personal information in a world in which data flows have become so complex and involve so many players that it requires a Cambridge law degree to make sense of what is going on?

How can businesses effectively innovate without overstepping boundaries and destroying the trust they’ve built with customers?

Consent has always been considered a foundational element of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law. Legally, organizations must obtain consent to collect, use and disclose an individual’s personal information, subject to a list of specific exceptions.

But obtaining meaningful consent has become increasingly challenging in the age of big data and the Internet of Things.

Gone are the days of routine, predictable, and transparent one-on-one interactions with companies, which were the norm when PIPEDA was adopted. It is no longer entirely clear who is processing our data and for what purposes.

As such, the practicability of the current consent model has been called into question.

This became abundantly clear during a priority-setting exercise we undertook last year that involved extensive consultation with privacy stakeholders, businesses, as well as the general public.

Many participants spoke of the need to enhance the consent model in order to make it more meaningful. Others told us that the existing consent model is just not practicable anymore in certain circumstances. All agreed the consent model is under challenge and its review should be a priority for my office.

We therefore identified the economics of personal information among our four strategic privacy priorities and committed to examining potential changes to the consent model under this priority.

We released a discussion paper in May in which we consider what other countries are doing and what solutions may be possible for Canada, and are now embarking on the consultation phase of this project.

We are looking closely at Europe’s General Data Protection Regulation (GDPR) which provides for the processing of personal information without consent for legitimate purposes and limits the use of implied consent.

We are also looking at the proposed Consumer Privacy Bill of Rights in the U.S., which seeks to provide individuals with a reasonable means to control the processing of their personal information. It would require companies to conduct risk assessments and take steps to mitigate any risks that are identified. While the future of that initiative is unclear, it nevertheless contained interesting ideas worth considering.

In my remarks today I’d like to share details from our discussion paper. I will talk about the role of individuals, organizations, regulators and legislators and what might be expected of them in the future. I will also offer some examples of the possible solutions we are now seeking feedback on.

I have also been asked to speak a little about Canada’s privacy laws in light of the EU’s Data Protection Regulation, so I’ll conclude by touching on that issue as well.

The role of individuals, organizations, regulators and legislators

When it comes to consent, individuals play an important role as these issues are linked, in part, to individual autonomy. But is it fair to assume average Internet users are able to demystify complex business relationships and algorithms?

Is the solution to provide individuals with better information on these intricacies so they can make more informed choices or should we find other ways to protect their interests? The answer may be that both are needed.

There is a place for individual choice, on issues where consent can be meaningfully given with better information. But there may well be situations where consent is not practicable. How then should privacy rights be protected?

Companies have a role in ensuring the protection of their customers, but face difficulties trying to explain in plain language their personal information management practices. They are also under pressure to innovate quickly.

It is certainly in their interest to find new ways to inform consumers, meaningfully yet effectively, so as to maintain trust. But will they be up to the challenge? And even if they want to, can they, given that they may not be impartial?

Which brings us to the role of regulators and, potentially, legislators. Consumer trust and effective privacy protection demands the intervention of regulators that are capable of holding organizations to account and protecting the interests of individuals.

To this end, what are the necessary attributes and authorities of an effective regulator?  I will say more on that shortly.

Possible solutions to address the consent challenge

Among the potential solutions are those that may enhance consent.

The goal here is to improve the ability of individuals to exercise truly meaningful consent, whether by having better access to information; by having the ability to manage preferences across different services; or by designing privacy into products and services, rather than having it be an afterthought.

Such solutions largely fall within the purview of organizations and I believe all are doable, subject to the will and creativity of the organizations themselves.

A second area includes alternatives to the consent model which are predicated on the notion that information flows have become too complex for the average person and that the ultimate solution is a relaxing of requirements for consent in certain circumstances. Is such flexibility required or can all situations be accommodated through enhancements to the consent model?

For instance, as you know, Europe allows data processing without consent if it is necessary for legitimate purposes and does not intrude on the rights of the individual.

A possible solution for Canada may be to broaden the permissible grounds for processing under PIPEDA to include legitimate business interests, either as flexible concept or by defining specific legitimate interests in law.

We might also consider legislating “no-go” zones, which prohibit the collection, use or disclosure of personal information in certain circumstances. They could be based on a variety of criteria, such as the sensitivity of the data, the nature of the proposed use or disclosure or vulnerabilities associated with the group whose data is being processed. 

A third possibility is governance solutions. These solutions focus on the role of organizations and could involve codes of practice or privacy trustmarks – familiar to some jurisdictions, but less so in Canada in terms of privacy protection.

These tools could add a certain predictability and consistency for businesses to understand their obligations around obtaining meaningful consent and the appropriate limits on data processing. They may also offer greater clarity for individuals that their information is being processed in a transparent and fair manner that is in line with their expectations.

As you know, codes of practice and privacy trustmarks may be voluntary best practices promoted by industry, or developed by regulators to serve as an enforcement tool.

Another option under consideration is to create boards of ethics, not unlike those in the scientific research community, to advise businesses on how data may be used with or without the consent of individuals. This can be useful given the difficulty in predicting future uses of information in today’s ever-evolving, technology-driven marketplace; still it raises questions about the oversight role of regulators.

Where consent is impracticable and organizations have a greater role in deciding appropriate uses for personal information, the obligations of organizations to ensure privacy protection should probably be higher.

With greater flexibility may come greater responsibility. But again, are companies up to the task? Are they in an appropriate position to balance their interests with those of the consumers?

If organizations have more flexibility, the need for regulatory bodies may become even more compelling.

So what attributes and authorities should a regulator have in order to be truly effective in protecting the privacy rights of individuals?

Currently my Office plays a more reactive role. We generally investigate complaints after a violation has occurred. Would it be reasonable to give my Office the authority to oversee compliance with privacy legislation more proactively, before problems arise?

Certainly once the GDPR is in force, in most countries, regulators will have the authority to issue binding orders and to impose financial sanctions against organizations. Why not Canada?

While many proposed solutions can be implemented within the current legal framework in Canada, others may require legislative change.  This would include, if they are found desirable, potential changes to my office’s powers, no-go zones and new legal grounds for processing where consent may not be practicable.

Should Canada look at other solutions adopted elsewhere? For example, the proposed U.S. Consumer Privacy Bill of Rights Act establishes a tiered system for processing personal information by means of the principle of “respect for context.”

Meanwhile, European law relies on enhanced procedural protections for particular kinds of information, such as that involving sensitive categories of data related to race, ethnic origin, religion or beliefs. Europe has also made a Canadian idea, Privacy by Design, a legal requirement. Should Canada do the same?

These are the sorts of issues we are hoping to further explore during our consultation process.

Trans-border data flows, adequacy and the impact of the Schrems decision

Let me now turn briefly to the issue of adequacy, which I have been asked to address. Specifically, the question put to me was whether my office has had any contacts with the European Commission on any review of Canada’s EU adequacy status following adoption of the EU’s Data Protection Regulation.

The short answer is no. If the European Commission were to contact Canadian authorities on this question, the competent officials would be members of the executive branch of government, likely the Department of Innovation, Science and Economic Development, and not the Privacy Commissioner, an agent of the legislature, independent from the executive. Be that as it may, I do not believe departmental officials have been contacted by the Commission.

That said, Canada is not a disinterested observer in the EU-US discussions currently taking place, as we know that Canada’s status as an “adequate” jurisdiction may be directly affected by the Schrems decision and eventually the GDPR.

The Schrems decision, of course, demands a more holistic approach to adequacy than what was in force when Canada’s PIPEDA was determined “adequate”. Now, adequacy is not limited to a consideration of rules that protect personal data in the commercial sphere—one must also carefully consider how rights are protected by laws and practices related to national security and law enforcement. 

To satisfy the essentially equivalent test, national security laws must, among other things, include safeguards that limit the scope of collection of personal data to what is necessary and proportionate for the purposes of a particular surveillance activity.

In this regard, I raised concerns with the Canadian Parliament last year when it adopted a new law to facilitate information sharing by federal departments in the national security area. I have also asked Parliament to raise legal standards for the collection of personal information under the Privacy Act.

That said, based on informal discussions I have had with European colleagues, I am not certain that Canadian and European laws are very different on these issues. It remains to be seen how European authorities would view Canadian laws post-Snowden. Certainly, we can all agree that many if not all countries are struggling to find the right balance between privacy and security.

On the commercial side, I note with pleasure that my colleague Giovanni Buttarelli, the European Data Protection Supervisor, in his recent opinion on the draft Privacy Shield agreement with the U.S., gave weight to the fact that other non-EU countries, such as Canada, have been “strictly assessed” as having binding federal laws that ensure an adequate level of protection.

But as you know, the GDPR will soon be raising the bar. ‎One of the objectives of OPC's review of the consent model will be to ensure Canada's laws remain adequate.

Another factor relevant to adequacy is the issue of recourse for Europeans. In Canada, access to courts is not limited by reason of nationality. Therefore, a statute such as the U.S. Judicial Redress Act is not required.

Conclusion

To conclude, I hope I have given you a better idea of where Canada stands vis-à-vis adequacy as well as a sense of the discussion we have kicked off regarding consent.

It is important to keep in mind that our discussion paper on consent is not meant to be prescriptive. It is rather a launching point for a national, if not international, brainstorming session and I am pleased to see it attracting some attention outside Canada.

What we need is a broad discussion. One that involves business, but also advocacy groups, academics, educators, IT specialists and everyday Internet users, if we want to ensure that the interests of individuals are well protected.

This fall I will hold meetings in several Canadian cities to talk with many of these stakeholders directly and we are also welcoming written feedback to our consent paper.

In the end, we hope to be in a position to contribute real, concrete solutions to the consent dilemma and to identify what role individuals, organizations, regulators and legislators need to play if we are to truly help people exercise greater control over their personal information.

And while our paper focuses on consent in the Canadian context, I am optimistic it will contribute to similar discussions taking place beyond our borders.

Date modified: