The consent model, the cornerstone behind the federal legislation that governs how private sector organizations may collect, use or disclose personal information in the course of commercial activities, is under the microscope after the Office of the Privacy Commissioner of Canada (OPC) published a consultation paper that examines its viability in today’s digital information ecosystem.
The mind-boggling pace of technological advances and the advent of cloud computing, big data analytics and the Internet of Things (IoT) has spurred the collection of such unprecedented amounts of personal information — often shared among invisible players — that it has placed the consent model under strain. Against this backdrop, business find it increasingly challenging to fulfil their privacy obligations under Personal Information Protection and Electronic Documents Act (PIPEDA) while individuals face the impossible task figuring out what organizations are processing their data and for what purposes, noted the OPC’s discussion paper. That has prompted some to advocate the easing of consent requirements around the collection of personal information while others argue for measures to strengthen it.
“There is concern that technology and business models have changed significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent,” observed the OPC’s discussion paper entitled Consent and Privacy. The discussion paper, which sought comments until the end of July, explores different options to enhance consent under PIPEDA.
But privacy experts are skeptical that the consultation will lead to any tangible actions in the future. They point to the Digital Privacy Act, which received royal assent more than a year ago, yet is still not in force because the federal government has yet to complete the drafting of data breach notification and reporting regulations. “I know that some people are hopeful that it will result in more meaningful change down the road, and maybe these are the beginning steps that will result in that but I am not going to hold my breath,” said Kris Klein, an Ottawa-based privacy lawyer who is the managing director of the International Association of Privacy Professionals (IAPP) Canada. “Things in the privacy world in Canada seem to move at a snail’s pace. Canada is falling behind.”
The consent model was forged at a time when transactions had “clearly defined moments” in which information was exchanged, points out the discussion paper. Transactions, be it an individual doing business with a financial institution or making an insurance claim, were often routine, predictable, transparent and for a limited purpose. Individuals knew the identity of the organizations they were dealing with and how the information was collected and used.
That is no longer the case, particularly since the emergence of big data and the IoT. Through the use of complex algorithms, big data analyzes enormous data sets to reveal patterns, trends and associations to solve problems and generate value. Its ability to draw correlations between individual pieces of data can also pose risks that personal data will be used in ways that individuals did not consent to nor would have ever “reasonably expected to consent” to at the time the information was collected, said the discussion paper. IoT, while still in its infancy, is a development that allows for products such as smart thermostats, connected cars, and health and fitness trackers to collect data using sensors that is shared over telecommunication networks. A U.S. Federal Trade Commission staff report found that ubiquitous data collection and the potential for unexpected uses of data are the two most serious privacy risks of IoT. “A major challenge in this environment is how to convey meaningful information about privacy risks in order to inform the user’s decision whether or not to provide consent,” said the discussion paper.
“Consent is not a meaningful concept when it comes to defining people’s privacy rights,” said Daniel Michaluk, a Toronto privacy and data security lawyer with Hicks Morley Hamilton Stewart Storie LLP. “It does tend to under protect because we do have a problem with properly digesting what we are consenting to. It is just too complicated and there are too many data flows to keep track of and we can’t do it. That’s a problem.”
Éloïse Gratton, the national co-leader of the privacy and data security practice group at Borden Ladner Gervais LLP in Montreal, concurs. “We have a lot of upcoming technologies that are going to challenge this consent model even more,” said Gratton, who has published several books on privacy . “The consent model makes sense in theory but it’s no longer realistic. The technologies are too complex. It’s hard to use consent as a tool to make sure that people’s privacy and personal information is protected.”
The OPC proposes a series of “solutions” to deal with the challenges facing the current consent model, none of which will likely be a panacea, said the discussion paper. A combination of mechanisms that take into account that consent should not be a burden for individuals or organizations nor a barrier to innovation will likely be contemplated. Many of the proposed solutions focus on making consent “more meaningful” and making it easier for individuals to understand so that they can make informed choices. The current consent-based model of privacy protection for instance could strengthened by ensuring that there is greater transparency in privacy policies and notices. The use of third-party intermediaries who could set privacy preference profiles may be worth a look as are technology specific safeguards that have built-in compliance mechanisms, said the OPC. The internationally-recognized Privacy by Design (PbD) concept, which imposes obligations to account for privacy when creating products and systems, too is an option – and is a route chosen by the European parliament after it approved this spring tougher data privacy rules that enshrine the right to be forgotten. The new General Data Protection Regulation (GDPR), which governs the use and privacy of European Union citizens’ data, compels organizations to incorporate PbD principles into the development of business processes for products and services.
The OPC discussion paper also contemplates alternatives to the traditional approach to consent, such as the de-identification of data and types of information that may not necessarily require consent or “no-go zones” which prohibit the collection, use or disclosure of personal information in certain circumstances. The OPC would also consider the notion that consent is not always practical in some situations, as is the case in the new European Union framework. In the EU legitimate business interests can be cited as grounds for lawful processing without consent, except in cases where fundamental rights come into play. Also on the table are codes of practice that provide practical guidance to industry best practices, privacy accountability seals, and greater enforcement powers for the OPC.
“What we ultimately need is some sort of model that tells us what is and what is not permissible,” said Michaluk. “We have suggestions on how we might structure our thinking about it but there are no suggestions in the paper that talk about what that model might look like. That’s what we need. I don’t know what it looks like, and I don’t think anybody really does. It is the fundamental problem.”
But Gratton warned that before amending PIPEDA on consent, one should make sure that changes will not be “detrimental or problematic” following the emergence of new technologies. PIPEDA’s wording towards consent is flexible, maintained Gratton. It can accommodate new technologies and business models as well new social norms that may arise in connection with upcoming technologies or business practices, added Gratton. She raises the possibility of using a risk-based approach that focuses on the risk of harm which would reduce the burden of the notification obligation and concurrently the consent obligation. While it would “imply some rethinking to some extent” of PIPEDA’s current consent model, the risk-based approach could be incorporated into PIPEDA, said Gratton.
Klein leans towards an approach that would both ease consent requirements and strengthen them. A good example are Canadian banks which are governed by a robust regulatory regime that has earned the confidence and trust of consumers. “If we developed in the privacy field a robust and mature set of legislative principles overseen by a robust regulatory regime then maybe we can sort of start getting that same sense of comfort and confidence in organizations,” added Klein.
This story was originally published in The Lawyers Weekly.