At the end of September, the Office of the Privacy Commissioner of Canada (hereinafter, the "Office") filed its annual report with Parliament (PDF) on the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding the protection of personal information in the federal private sector, as well as regarding the Privacy Actapplicable to the personal information processing practices within federal departments and agencies.
Furthermore, the Office identified therein several avenues to align privacy and personal information protection legislation with new information technologies. In his introductory message, Commissioner Daniel Therrien's conclusion on the topic is telling: "Now is the time to instill confidence in Canadians that new technologies will be implemented in their best interest and not be a threat to their rights. Now is the time to reform Canada's critically outdated privacy laws."
Although the Office of the Commissioner's annual report includes a detailed analysis of PIPEDA and the Privacy Act, this bulletin will focus on the developments on the issue of consent. Consent is generally recognized as the "cornerstone" of Canada's privacy laws. As such, organizations must, in accordance with PIPEDA, and subject to certain exceptions, obtain the individual's consent prior to collecting, using, or disclosing his/her personal information. However, recent technological advances (big data, the Internet of things, artificial intelligence, etc.) are making it increasingly difficult to obtain "free and informed" consent from individuals.
Against this background, the authors (in their personal capacity) submitted a brief on the issue entitled: "Consent and Privacy: Look at the Past, Prepare for the Future", in response to a discussion paper issued by the Office of the Commissioner in May 2016. In addition, we also participated in one of the five round tables held by the Office, to put forward our recommendations.
The Office has since consolidated the findings of its extensive consultation and the annual report sets out a clear position on consent. Many of the positions set forth by the Commissioner are consistent with the above brief submitted by the authors, especially the following points:
The Office also dealt with cases where it would be difficult to obtain the individual's consent directly. Indeed, PIPEDA was drafted at a time when business models were limited to traditional transactional relationships, often bilateral in nature. However, with the emergence of new technologies, such as artificial intelligence, it is becoming increasingly difficult to know how personal information is managed, which undermines the validity and relevance of consent. To address this, three solutions are proposed by the Office:
- First, the de-identification of data, despite the fear of being able to re-identify it. The Office will, therein, issue guidance on de-identification.
- Then, the Office recommends that Parliament find a way to modernize the Regulations Specifying Publicly Available Personal Information. Indeed, the Office wants to strike a fine balance between, on the one hand, the fundamental rights of individuals and, on the other, the right to access information in the public interest.
- Finally, the Office of the Commissioner is examining situations where it is simply impossible to obtain the individual's consent. The Office therefore is suggesting that Parliament amend PIPEDA to introduce new consent exceptions to manage activities where the societal benefits clearly outweigh the privacy incursions, subject to strict conditions and stronger enforcement.
In short, consent remains pivotal to the enforcement of privacy laws. However, the rapid development of technology requires the concept to be overhauled. At the heart of this modernization will be the search for a balance between the protection of personal information and the use of technology: consistency, clarity and conciseness, while remaining as comprehensive as possible -- this is the challenge for organizations in terms of informed consent. New exceptions may be suggested, but they will be limited to cases where the public interest outweighs the protection of privacy and, even then, they will be strictly regulated.