Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin

Consent is Becoming A Topic of Conversation Again: Overview of The Annual Report of The Office of The Privacy Commissioner of Canada

Fasken
Reading Time 6 minute read Subscribe

Privacy Information & Protection Bulletin

At the end of September, the Office of the Privacy Commissioner of Canada (hereinafter, the "Office") filed its annual report with Parliament (PDF) on the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding the protection of personal information in the federal private sector, as well as regarding the Privacy Act applicable to the personal information processing practices within federal departments and agencies.

Furthermore, the Office identified therein several avenues to align privacy and personal information protection legislation with new information technologies. In his introductory message, Commissioner Daniel Therrien's conclusion on the topic is telling: "Now is the time to instill confidence in Canadians that new technologies will be implemented in their best interest and not be a threat to their rights. Now is the time to reform Canada's critically outdated privacy laws."

Although the Office of the Commissioner's annual report includes a detailed analysis of PIPEDA and the Privacy Act, this bulletin will focus on the developments on the issue of consent. Consent is generally recognized as the "cornerstone" of Canada's privacy laws. As such, organizations must, in accordance with PIPEDA, and subject to certain exceptions, obtain the individual's consent prior to collecting, using, or disclosing his/her personal information. However, recent technological advances (big data, the Internet of things, artificial intelligence, etc.) are making it increasingly difficult to obtain "free and informed" consent from individuals.

Against this background, the authors (in their personal capacity) submitted a brief on the issue entitled: "Consent and Privacy: Look at the Past, Prepare for the Future", in response to a discussion paper issued by the Office of the Commissioner in May 2016. In addition, we also participated in one of the five round tables held by the Office, to put forward our recommendations.

The Office has since consolidated the findings of its extensive consultation and the annual report sets out a clear position on consent. Many of the positions set forth by the Commissioner are consistent with the above brief submitted by the authors, especially the following points:

Our Recommendations

Position of the Commissioner's Office

Simplified Privacy Policies

The brief we submitted posed the question, if not the challenge, of striking a balance between the protection of privacy and the reasonable demands of businesses. We found that often privacy policies were overly specific, complex and lengthy. To meet this challenge, the undersigned advanced the "4C rule": consistency, clarity, conciseness and comprehensiveness. The undersigned then recommended that the designing of a consent form that is unique and relatively standardized be considered. Consideration could be given to an interactive document that avoids highly technical language and has a well-organized and pleasant layout.

  • Organizations should inform and familiarize individuals with an informational structure that focuses on:
  • what personal information is collected;
  • the use made of the data sought;
  • data disclosure;
  • how the data is protected;
  • where will the data be stored;
  • the rights to access and correction.

The Office supports the position that individuals must understand the nature, purpose, and consequences of collection, use and disclosure of their data. Privacy policies are becoming lengthier and more complex. Organizations need to find innovative and creative ways to facilitate the consent process.

While organizations must continue to make readily available to individuals complete and understandable information, the following elements must, in order to obtain informed consent, be given particular prominence and be brought to the individual's attention in a user-friendly format and at an appropriate time:

  • what personal information is being collected;
  • who it is being shared with;
  • for what purposes is information collected, used, or shared, including an explanation of purposes that are not integral to the service; and
  • what is the risk of harm to the individual, if any.

No-Go Zones

The undersigned did not want the Act to define specific no-go zones, except in very specific cases (e.g. genetics). In Canada, privacy laws are built on the model of the organization's "legitimate interest" in collecting, using and disclosing personal information, in addition to requiring the individual's consent to the collection, use and disclosure of personal information (except as specified in the statute). The approach is based on the good faith of the organizations. Thus, an approach based on no-go zones or pre-authorization would, according to the undersigned, be contrary to the philosophy of the law.

Finally, the undersigned felt that the "necessity" criterion could serve as a safeguard at each stage of the collection, use or disclosure of personal information.

The Office shares the view that legislating specific no-go zones would not be ideal, given the fast pace of technological change and innovation. PIPEDA already prohibits inappropriate uses under subsection 5(3), which cannot be overridden by consent.

Needless to say, these uses are broad and subject to interpretation. As a result, the Office will issue guidance under subsection 5(3) explicitly stating what it considers to be inappropriate cases of collection, use or disclosure of personal information from a reasonable person standpoint. Imput will be sought regarding this guidance document. For example, the Office considers that publishing personal information with the intended purpose of charging individuals to pay for its removal from a list would be a purpose that a reasonable person would not consider appropriate. The concept of reasonable expectations of individuals will also be better fleshed out by the Office of the Commissioner.

The Duty to be Informed and to Advise

The undersigned made two observations. First, information technology, whether we're talking about cloud computing, big data or the Internet of Things, are game-changers. Nevertheless, the evolution of technology does not relieve the individual of his duty to inform himself. On the counterpart,organizations must provide intelligible informationindividuals so that they provide informed consent. In this respect, the undersigned noted that the duty to inform does not overlap with the duty to advise.

Finally, the position taken by the undersigned aims at supporting the search for, and the striking of, a balance: organizations must inform consistently, clearly, concisely and comprehensively; but the individual must also make reasonable efforts to enquire and understand the content.

The Office notes that it would not be fair to ask consumers to shoulder all the responsibility of having to deconstruct complex data flows in order to make an informed choice. This is why organizations must be transparent about their practices and respectful of the individuals' right to make privacy choices.

Finally, the Office shares the view that a balance should be achieved. It considers that everyone (i.e.: individuals, organizations, regulators and legislators) needs to play their part for privacy to be protected effectively.


The Office also dealt with cases where it would be difficult to obtain the individual's consent directly. Indeed, PIPEDA was drafted at a time when business models were limited to traditional transactional relationships, often bilateral in nature. However, with the emergence of new technologies, such as artificial intelligence, it is becoming increasingly difficult to know how personal information is managed, which undermines the validity and relevance of consent. To address this, three solutions are proposed by the Office:

  • First, the de-identification of data, despite the fear of being able to re-identify it. The Office will, therein, issue guidance on de-identification.
  • Then, the Office recommends that Parliament find a way to modernize the Regulations Specifying Publicly Available Personal Information. Indeed, the Office wants to strike a fine balance between, on the one hand, the fundamental rights of individuals and, on the other, the right to access information in the public interest.
  • Finally, the Office of the Commissioner is examining situations where it is simply impossible to obtain the individual's consent. The Office therefore is suggesting that Parliament amend PIPEDA to introduce new consent exceptions to manage activities where the societal benefits clearly outweigh the privacy incursions, subject to strict conditions and stronger enforcement.

In short, consent remains pivotal to the enforcement of privacy laws. However, the rapid development of technology requires the concept to be overhauled. At the heart of this modernization will be the search for a balance between the protection of personal information and the use of technology: consistency, clarity and conciseness, while remaining as comprehensive as possible -- this is the challenge for organizations in terms of informed consent. New exceptions may be suggested, but they will be limited to cases where the public interest outweighs the protection of privacy and, even then, they will be strictly regulated.

    Subscribe

    Receive email updates from our team

    Subscribe