Beyond Consent-based Privacy Protection
Eloïse Gratton (Partner and National Co-Leader, Privacy and Data Security)
October 2016
Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
Summary
At the time that the FIPPs were initially drafted in the early 1970s, their main purpose was to address specific concerns pertaining to computerized databases. The best way to deal with these data protection issues was deemed to be having individuals keep control of their personal information. Forty years later, that self-concept is still one of the most predominant theories of privacy and the basis for data protection laws around the world, including PIPEDA. The “notice and choice” approach is no longer realistic: Individuals are overloaded with information in quantities that they cannot realistically be expected to process or comprehend. Moreover, providing notice and choice in the context of new technologies can be challenging due to the ubiquity of devices, persistence of collection, and practical obstacles for providing information, if devices lack displays or explicit user interfaces. Before amending PIPEDA on consent, one should be careful to make sure that the amendment will not be detrimental or problematic as soon as new technologies emerge. The wording pertaining to obtaining consent under PIPEDA is flexible enough to accommodate new types of technologies and business models. Another argument against amending PIPEDA pertains to the fact that social norms in connection with any new technology or business practice may not yet to be established. The downside of the flexibility surrounding the notion of consent is that it creates uncertainty. Policy guidance on enhancing transparency and obtaining valid consent will therefore be increasingly necessary to address some of this uncertainty and allow organizations to innovate without taking major legal risks. It is always less disturbing to provide a solution which will be incorporated within the current legal framework, such as a proposed interpretation, than to propose a new amendment to the law. The notion of “consent” under PIPEDA is already quite flexible and is technology-neutral, allowing for this notion to be interpreted with the proper balance between the protection of privacy and the need or organizations to collect, use or disclose personal information for the purposes that the reasonable person would consider appropriate in the circumstances. Any interpretation of the notion of consent should consider any impact on innovation, as well as certain new ethical issues that may, to a certain extent, go beyond the current application of PIPEDA. An interpretation which includes a risk-based approach may also allow organizations to streamline their communications with individuals, reducing the burden and confusion on individual consumers. Although this new approach would imply rethinking, to some extent, PIPEDA’s current consent model, this approach should be further explored in the near future.
The full submission is available in the following language(s):
Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.
- Date modified: