The OPC Publishes its Report on Consent

In May 2016, the Office of the Privacy Commissioner of Canada (OPC) published a discussion paper and launched a consultation on consent under the Personal Information Protection and Electronic Documents Act (PIPEDA) with the objective of identifying potential enhancements to the consent model and better defining the roles and responsibilities of the actors who could implement such improvements. I had then submitted to the OPC my position paper entitled “Beyond Consent-based Privacy Protection” which was meant to address some of these issues raised by the OPC and address the viability of the consent model.

On September 21, 2017, as part of its 2016-2017 annual report, the OPC published its “Report on Consent” in result of this consultation. In this report, the OPC recognizes that consent is a foundational element of PIPEDA, but notes that obtaining meaningful consent has become increasingly challenging in the digital environment and can sometimes be impracticable or very challenging in the case of big data initiatives or Internet of Things devices. The OPC also cites a survey revealing that the vast majority of Canadians are worried that they are losing control of their personal information and highlighted the importance of Canadians having the trust required for the digital economy to flourish.

Forms of consent. The OPC believes that the form of consent (express vs. implied) should depend on the sensitivity of the information and the reasonable expectations of individuals. Since individuals would be less likely to give implied consent with respect to personal information not integrally linked to the service, organizations should be very transparent about when personal information is integral to the service and when it is not. Interestingly, the OPC also raises that the form of consent should also depend on the risk of harm of a data processing activity. The OPC intends on asking Parliament to make risk of harm an explicit factor when determining the appropriate form of consent. I had published a paper on the notion of risk of harm in 2013 for those interested on different views of this concept.

No-go zones even with consent. Under subsection 5(3) of PIPEDA, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. This cannot be overridden by consent. The OPC intends on publishing guidance on what is not considered an appropriate use under this subsection. It gives examples of what it considers inappropriate, which may include a collection, use or disclosure that is otherwise unlawful, profiling or categorization that leads to unfair, unethical or discriminatory treatment, publishing personal information with the intended purpose of charging individuals to pay for its removal (for example, see PIPEDA Report of Findings #2015-002) and situations that are known or likely to cause significant harm to the individual.

De-identification. The OPC notes that de-identification may seem like a promising measure for enhancing privacy protection, but acknowledges that re-identification is a real risk because of the availability of data sets that can be used for re-identification and because of the lack of rigour in de-identification methods. It intends on issuing guidance on de-identification aiming at helping organization assess and reduce risk of re-identification to a sufficiently low level where it may reasonably be used without consent. The OPC refers to a recent paper entitled The Seven States of Data: When is Pseudonymous Data Not Personal Information?  (co-autored with Khaled El Emam, Jules Polonetsky and Luk Arbuckle, presented at the 2016 Brussels Privacy Symposium), in which we propose a framework for classifying states of data between non-identifiable and personal information, taking into account risk of identifiability and proposing methods for mitigating privacy risk. The OPC encourages Parliament to examine the concept of pseudonymized information, which may be exempt from consent requirements but still subject to all other PIPEDA protections.

New consent exceptions. The OPC acknowledges that there are situations where consent may be impracticable and suggests that Parliament consider the circumstances where exceptions to the consent requirement might be warranted from a broader societal perspective. An organization that wishes to benefit from such consent exception would be required to demonstrate that obtaining consent has been explored and that it is impracticable to obtain such consent. It would also have to comply with prior conditions, which may include an organization having to demonstrate, on request, that:

  • it is necessary to use personal information;
  • it is impracticable to obtain consent;
  • pseudonymized data will be used to the extent possible;
  • societal benefits clearly outweigh any privacy incursions;
  • a Privacy Impact Assessment was conducted in advance;
  • the organization has notified the OPC in advance;
  • the organization has issued a public notice describing its practices; and
  • individuals retain the right to object.

Governance/Enforcement. In a 2013 report, the OPC argued for stronger enforcement powers. It now believes that this need has become greater and that Canadians’ privacy rights must be adequately protected through privacy regulators who, like those in the U.S., the EU and elsewhere, have enforcement powers that are proportional to the increasing risks that new disruptive technologies pose for privacy.

Fines and monetary settlements. The OPC notes that other Canadian regulators have the power to impose administrative monetary penalties (under the Competition Act, for instance). It also mentions that fines (like those provided in the GDPR) or monetary settlements (such as those obtained by the U.S. Federal Trade Commission) are becoming the norm internationally. According to the OPC, regulatory and enforcement powers gaps may come under scrutiny  when Canada’s adequacy status is reviewed by the EU under the GDPR. In terms of factors for imposing a penalty, the OPC believes that they should be carefully examined, with the aim to enhance compliance, rather than to punish. Due diligence, i.e. evidence that an organization has taken all reasonable steps to avoid the violation, would be a complete defence.

Authority to verify compliance on demand. The OPC believes that the ombudsman model as a complaint-driven system has some flaws. For instance, individuals are unlikely to file a complaint about something they are unaware of and it becomes more complicated to understand how organizations handle personal information in the age of big data and Internet of Things. A proactive regulatory model would allow the OPC to verify compliance on demand and require organizations to demonstrate accountability, without evidence that a violation has occurred (which is currently required under PIPEDA). Regardless of whether it is granted a broader legislative authority to investigate, the OPC intends on making more frequent and strategic use of its existing power to conduct Commissioner-initiated investigations focusing on recurring or sector-specific problems, or other privacy issues related to opaque business models and uses of personal information.

Private right of action. The OPC suggests that Parliament consider creating a private right of action for PIPEDA violations as an alternative to the current complaint model instead of relying on the lengthy development period of privacy tort law.

***

The Privacy Commissioner of Canada has also recommended legislative amendments to PIPEDA to provide for order-making powers and the ability to impose administrative monetary penalties in order to address his concern that Canadians do not feel protected by a law that has no teeth and by businesses held to no more than non-binding recommendations. Therrien mentioned that the OPC will not wait for legislative changes but will begin to act immediately to improve privacy protections for Canadians by implementing certain steps which include making a shift towards a proactive enforcement and compliance model, rather than a complaints-based ombudsman model of privacy protection, as well as developing new guidance which would specify areas where collection, use and disclosure of personal information is prohibited, as in situations that are known or likely to cause significant harm to the individual.

 

This content has been updated on May 2, 2024 at 16 h 27 min.