In May 2016, the Office of the Privacy Commissioner of Canada ("OPC") published a discussion paper and launched a consultation on consent under the Personal Information Protection and Electronic Documents Act ("PIPEDA") with the objective of identifying potential enhancements to the consent model and better defining the roles and responsibilities of the actors who could implement such improvements. On September 21, 2017, as part of its 2016-2017 annual report, the OPC published its "Report on Consent" in result of this consultation.
In this report, the OPC recognizes that consent is a foundational element of PIPEDA, but notes that obtaining meaningful consent has become increasingly challenging in the digital environment and can sometimes be impracticable or very challenging in the case of big data initiatives or Internet of Things devices. The OPC also cites a survey revealing that the vast majority of Canadians are worried that they are losing control of their personal information and highlighted the importance of Canadians having the trust required for the digital economy to flourish.
The report focuses on three themes: making consent more meaningful, alternatives to consent and governance/enforcement.
Making consent more meaningful
The report notes that privacy policies were heavily criticized during the consultations for obfuscating data practices by being too lengthy and using complex and ambiguous language. Most participants in focus groups admitted to not reading them. According to the OPC, the choice of companies to use privacy policies as the primary vehicle for obtaining informed consent was a questionable choice from the beginning, and this problem increased as companies failed to adapt their policies to a digital environment.
The OPC believes that privacy policies have been ineffective from a consent perspective, but nevertheless serve a range of important legal purposes. For instance, regulators need to refer to them in order to hold organizations accountable for their personal information management practices. Accordingly, the OPC issued seven guiding principles for organizations to follow in developing privacy policies. The following ideas are particularly noteworthy:
- Certain elements warrant greater emphasis in order to obtain meaningful consent:
- what personal information is being collected;
- who it is being shared with, including an enumeration of third parties;
- for what purposes is information collected, used, or shared, including an explanation of purposes that are not integral to the service; and
- what is the risk of harm to the individual, if any;
- For collections, uses or disclosures that are not integral to the product or service they are seeking, individuals must be provided with easy “yes” or ‘no’ options;
- Innovative consent processes that can be implemented just in time and are specific to the context and appropriate to the type of interface used should be adopted;
- Consent processes should be user-friendly and the information provided understandable, and organizations should be able to demonstrate that they have tested these processes;
- Informed consent is an ongoing process that changes as circumstances change and organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.
Forms of consent
The OPC believes that the form of consent (express vs. implied) should depend on:
- the sensitivity of the information;
- the reasonable expectations of individuals. Individuals would be less likely to give implied consent with respect to personal information not integrally linked to the service. Organizations should be very transparent about when personal information is integral to the service and when it is not;
- the risk of harm of a data processing activity. The OPC intends on asking Parliament to make risk of harm an explicit factor when determining the appropriate form of consent.
Children and youth
The OPC takes the position that, in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians. As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly. Organizations should therefore be cautious before considering that they have obtained consent from an individual aged 13 to 18, as this criterion appears to be difficult to apply.
No-go zones even with consent
Under subsection 5(3) of PIPEDA, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. This cannot be overridden by consent. The OPC intends on publishing guidance on what is not considered an appropriate use under this subsection. It gives examples of what it considers inappropriate:
- collection, use or disclosure that is otherwise unlawful;
- profiling or categorization that leads to unfair, unethical or discriminatory treatment;
- publishing personal information with the intended purpose of charging individuals to pay for its removal;
- situations that are known or likely to cause significant harm to the individual.
Alternatives to consent
The OPC notes that de-identification may seem like a promising measure for enhancing privacy protection, but acknowledges that re-identification is a real risk because of the availability of data sets that can be used for re-identification and because of the lack of rigour in de-identification methods. It intends on issuing guidance on de-identification aiming at helping organization assess and reduce risk of re-identification to a sufficiently low level where it may reasonably be used without consent.
The report also discusses the idea of a spectrum of identifiability, noting that the EU General Data Protection Regulation ("GDPR") recognizes pseudonymization as a safeguard and allows organizations greater flexibility when processing pseudonymized information. The OPC encourages Parliament to examine the concept of pseudonymized information, which may be exempt from consent requirements but still subject to all other PIPEDA protections.
Publicly available information
While noting that several stakeholders have suggested changes to PIPEDA’s Regulations Specifying Publicly Available Personal Information, the OPC believes that the matter merits further attention and deliberation by Parliament because the issue of deciding how to protect the privacy of people whose information is publicly available is extremely complex and raises fundamental questions of freedom of expression and the right to access information in the public interest.
New consent exceptions
The OPC acknowledges that there are situations where consent may be impracticable and suggests that Parliament consider the circumstances where exceptions to the consent requirement might be warranted from a broader societal perspective. Such situations include:
- search engines indexing web sites and presenting search results to Internet users where appropriate;
- geolocation mapping services that society has become increasingly reliant upon;
- certain data processes, such as big data analytics, Internet of Things, artificial intelligence or robotics applications where commercial and societal interests align.
An organization that wishes to benefit from such consent exception would be required to demonstrate that obtaining consent has been explored and that it is impracticable to obtain such consent. It would also have to comply with prior conditions, which may include an organization having to demonstrate, on request, that:
- it is necessary to use personal information;
- it is impracticable to obtain consent;
- pseudonymized data will be used to the extent possible;
- societal benefits clearly outweigh any privacy incursions;
- a Privacy Impact Assessment was conducted in advance;
- the organization has notified the OPC in advance;
- the organization has issued a public notice describing its practices; and
- individuals retain the right to object.
In a 2013 report, the OPC argued for stronger enforcement powers. It now believes that this need has become greater and that Canadians' privacy rights must be adequately protected through privacy regulators who, like those in the U.S., the EU and elsewhere, have enforcement powers that are proportional to the increasing risks that new disruptive technologies pose for privacy.
Fines and monetary settlements
The OPC notes that other Canadian regulators have the power to impose administrative monetary penalties (under the Competition Act, for instance). It also mentions that fines (like those provided in the GDPR) or monetary settlements (such as those obtained by the U.S. Federal Trade Commission) are becoming the norm internationally. According to the OPC, regulatory and enforcement powers gaps may come under scrutiny when Canada’s adequacy status is reviewed by the EU under the GDPR. In terms of factors for imposing a penalty, the OPC believes that they should be carefully examined, with the aim to enhance compliance, rather than to punish. Due diligence, i.e. evidence that an organization has taken all reasonable steps to avoid the violation, would be a complete defence.
Authority to verify compliance on demand
The OPC believes that the ombudsman model as a complaint-driven system has some flaws. For instance, individuals are unlikely to file a complaint about something they are unaware of and it becomes more complicated to understand how organizations handle personal information in the age of big data and Internet of Things. A proactive regulatory model would allow the OPC to verify compliance on demand and require organizations to demonstrate accountability, without evidence that a violation has occurred (which is currently required under PIPEDA).
Regardless of whether it is granted a broader legislative authority to investigate, the OPC intends on making more frequent and strategic use of its existing power to conduct Commissioner-initiated investigations focusing on recurring or sector-specific problems, or other privacy issues related to opaque business models and uses of personal information.
Private right of action
The OPC suggests that Parliament consider creating a private right of action for PIPEDA violations as an alternative to the current complaint model, instead of relying on the lengthy development period of privacy tort law.
The Privacy Commissioner of Canada, Daniel Therrien, has also recommended legislative amendments to PIPEDA to provide for order-making powers and the ability to impose administrative monetary penalties in order to address his concern that Canadians do not feel protected by a law that has no teeth and by businesses held to no more than non-binding recommendations (view the news release here).
That being said, Therrien mentioned that the OPC will not wait for legislative changes but will begin to act immediately to improve privacy protections for Canadians by implementing certain steps. These steps include making a shift towards a proactive enforcement and compliance model, rather than a complaints-based ombudsman model of privacy protection which may be useful when the OPC identifies privacy problems related to complex new technologies. These steps also include specifying key elements that must be highlighted in privacy notices and explained in a user-friendly way to improve online consent, as well as developing new guidance which would specify areas where collection, use and disclosure of personal information is prohibited, as in situations that are known or likely to cause significant harm to the individual.