The Office of the Privacy Commissioner (OPC) has recently published a discussion paper entitled "Consent and privacy" exploring potential enhancements to consent under PIPEDA. The OPC also launched a Consultation and Call for Submissions requesting input on its consent paper, asking whether legislative changes are required, and requesting comments on solutions which would be helpful in addressing consent challenges.
Éloïse Gratton, Leader of BLG's Privacy and Data Security Group, has submitted to the OPC her position paper entitled "Beyond Consent-based Privacy Protection" which addresses some of the issues raised by the OPC and addresses the viability of the consent model.
The paper discusses how, at the time that the FIPPs (Fair Information Privacy Practices) were initially drafted in the early 1970s, their main purpose was to address specific concerns pertaining to computerized databases. The best way to deal with these data protection issues was deemed to be having individuals keep control of their personal information. Forty years later, that self-concept is still one of the most predominant theories of privacy and the basis for data protection laws around the world, including PIPEDA. The paper explains how the "notice and choice" approach is no longer realistic: Individuals are overloaded with information in quantities that they cannot realistically be expected to process or comprehend. Moreover, providing notice and choice in the context of new technologies can be challenging due to the ubiquity of devices, persistence of collection, and practical obstacles for providing information, if devices lack displays or explicit user interfaces.
Gratton argues that before amending PIPEDA on consent, one should be careful to make sure that the amendment will not be detrimental or problematic as soon as new technologies emerge. She believes that the wording pertaining to obtaining consent under PIPEDA is flexible enough to accommodate new types of technologies and business models. Another argument against amending PIPEDA pertains to the fact that social norms in connection with any new technology or business practice may not yet be established.
The downside of the flexibility surrounding the notion of consent is that it creates uncertainty. Policy guidance on enhancing transparency and obtaining valid consent will therefore be increasingly necessary to address some of this uncertainty and allow organizations to innovate without taking major legal risks. Businesses may well benefit from more OPC guidance when new types of technologies or business models make their way.
The paper discusses that it is always less troubling to provide a solution which will be incorporated within the current legal framework, such as a proposed interpretation, than to propose a new amendment to the law. The notion of "consent" under PIPEDA is already quite flexible and is technology-neutral, allowing for this notion to be interpreted with the proper balance between the protection of privacy and the need for organizations to collect, use or disclose personal information for the purposes that the reasonable person would consider appropriate in the circumstances. Gratton articulates the view that any interpretation of the notion of consent should consider any impact on innovation, as well as certain new ethical issues that may, to a certain extent, go beyond the current application of PIPEDA.
She also raises that an interpretation which includes a risk-based approach may also allow organizations to streamline their communications with individuals, reducing the burden and confusion on individual consumers. Although this new approach would imply rethinking, to some extent, PIPEDA's current consent model, she maintains that this approach should be further explored in the near future.
You can access her submission by clicking the following title: Beyond Consent-based Privacy Protection.