PIPEDA Revisions and Consent Paradigm
Charmaine Shaw
October 2016
Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
The discussion paper presents a comprehensive depiction of the issues and provides a detailed set of options for solutions. In the below, I offer my opinion as an individual privacy practitioner.
1. How should PbD be treated in the context of Canada’s privacy law framework? Should this concept merely be encouraged as a desirable aspect of an accountability regime? Or should it become a legislated requirement as it will soon be in Europe?
I think there is a lot of merit in standardizing privacy practices across jurisdictions and that legislating PbD would be in keeping with this. Although privacy by design is encouraged, organizations are not inclined to ‘do the right thing’, especially if it entails additional cost, unless there is an incentive. The role of Privacy Commissioner tends to be reactive and the result is that Privacy Regulators tend to chase, as opposed to lead, industry practice. PIAs are very useful tools but the onus (and expense) is on the organization/company that implements/purchases a technology whereas the owner of the technology should ensure built-in privacy protections and the purchaser should be held accountable for implementation in a privacy-protecting manner. Actor: Legislators
2. Is there a workable, risk-based approach that can vary the stringency of the consent requirement with the risk of re-identifiability of data?
I think this is an area where there should be ‘no-go zones’ and wherein privacy protections should be aligned with risk of re-identification. Contractual agreements would also need to be part of the solution. As has been stated, true de-identification of data may not be feasible but there are degrees of data sensitivity and probabilities of re-identification that should be considered. Actor: Regulators
3. Could sectoral codes of practice indeed enhance consent and/or privacy protection?
Yes, I think that codes of practice could be employed to ensure that uses of information would be restricted to those authorized within privacy legislation. Organizations are competitive in nature – and need to be, in order to thrive. However, this leads to organizations being incentivized to copy what their competitors are doing as opposed to being incentivized to ‘do the right thing’. Actor: Organizations.
4. Should Consumer’s Ethics Boards be established?
Yes, I think that Consumer’s Ethics Boards, similar to Research Ethics Boards should be established to perform the role of sanctioning collections, uses and/or disclosures of information contemplated by organizations. The Boards should be comprised of privacy officers and representatives of the public and should be funded either by government or a funding source that consists in pots of fees collected from participating organizations. Actor: Individuals.
These measures will serve to decrease the burden of discovery and accountability from the consumer to the organization but should replace the requirement for consent. Privacy Commissioners should have increased power and should audit privacy compliance as opposed to relying on complaints.
Thank you for the opportunity to provide feedback on this important aspect of privacy legislation.
Sincerely,
Charmaine Shaw
- Date modified: