The federal Personal Information Protection and Electronic Documents Act (PIPEDA) began coming into force in May 2000 and established the legislative regime for protecting personal information in the private sector. Fourteen years is a long time in information technology and despite several amendments over PIPEDA’s lifespan, there are concerns that its framework is struggling to keep up with a constantly shifting digital landscape.
A particular area of concern is informed consent and social media, which was subject to an extensive report by the House of Commons Standing Committee on Access to Information, Privacy and Ethics. The Committee heard testimony from the Privacy Commissioner, as well as submissions from other legal experts and key industry players. The Committee released its findings in April 2013. Among the key concerns were:
- The challenge of obtaining informed consent. Users often willingly give the personal information on social media sites without understanding how the information will be used and the associated privacy risks. This is due in part to a lack of ‘digital literacy’, described as ‘the range of skills needed by individuals to make wise, informed and ethical online decisions.’ Informed consent is also jeopardized by the prevalence of ‘opt-out’ consent by social media sites, where consent is inferred from inaction.
- PIPEDA’s soft approach. This has been the preferred approach in the private sector, but the Privacy Commissioner testified that non-binding guidelines and the threat of reputation loss are largely ineffective against a quasi-monopoly of multinationals.
- The incompatibility between informed consent and unilateral contract modification.
The Office of the Privacy Commissioner (OPC) implemented some of the Committee’s recommendations with its Guidelines for Online Consent, released in May 2014. This document is an attempt to address the challenge of obtaining informed consent when users do not bother to read the agreements that they consent to or consider the consequences, instead opting to blindly click ‘yes’ until they gain access to the desired content or application.
The Guidelines are not legally enforceable, but they do give an indication about how the OPC might interpret PIPEDA. Organizations can also be confident that they will be compliant with PIPEDA’s consent principle if they design their policies and practices in accordance with the Guidelines. Unfortunately, the Guidelines do not offer much in terms of substantive guidance and much of the document reiterates the OPC’s PIPEDA Self-Assessment Tool, released in 2008.
The OPC continues to recognize that some degree of flexibility is required in order to obtain informed consent, but this flexibility is a double-edged sword: opt-out consent provisions will be appropriate in some circumstances, but social media providers are also expected to ensure that their privacy policies are easily accessible according to the device used, be it a smartphone, tablet, gaming device, or personal computer. A one-size-fits-all approach may not always suffice. For instance, an opt-out consent option may not be as visible to a smartphone user as a desktop or tablet user and may therefore require a different consent process on smartphone platforms in order to comply. As for when opt-out consent will be consistent with informed consent, the OPC provides the following guidance:
- The personal information must be demonstrably non-sensitive in nature and context.
- The information-sharing situation must be limited and well defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
- The organization’s purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual’s attention at the time the personal information is collected.
- The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of the procedure at the time the personal information is collected.
As communication technology continues to evolve and the OPC attempts to address the emerging challenges to privacy interests, more guidelines, and possibly legislative amendments, are sure to follow. Organizations that follow the current guidance documents will be well-positioned to adapt to future legal requirements and could even get a seat at the time when law-makers seek private-sector input.
One such amendment is clause 5 of Bill S-4, the Digital Privacy Act, which would add a definition of ‘valid’ consent:
6.1 For the purposes of clause 4.3 of Schedule 1 [Consent], the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The inclusion of the word ‘would’ suggests that an individual does not actually have to read the consent form in order for consent to be valid. But individuals must still be able to understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Organizations that incorporate the OPC’s Guidelines into their privacy policies and practices should have few, if any, problems complying with this amendment if it becomes law.