Submission to the OPC’s Consultation on Consent under PIPEDA (Trosow, Tremblay and Weiss)
Samuel E. Trosow, Scott Tremblay, and Daniel Weiss (University of Western Ontario)
October 2016
Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
Summary
The current consent model is inadequate to protect the legitimate privacy interests of individuals in a time of increased technological complexity. Since many of the historical conditions and assumptions underlying the adoption of the current consent model have become outdated, this submission argues that measures to strengthen consent need to be taken to ensure that it is meaningful.
The submission rejects the argument that consent requirements should be relaxed, as this would be detrimental to the fundamental privacy rights of individuals and it would fail to achieve the goals of PIPEDA. The PIPEDA framework is based on a set of balancing principles, and a purposive approach should be taken in re-calibrated these principles from time to time. Instead of relaxing consent requirements, the consent model needs to be strengthened and supplemented with other regulatory measures.
We propose to enhance informed consent by making privacy policies/terms of service more understandable and giving users and consumers better ways to understand and express their privacy preferences. We recognize a troubling paradox of consent (if the information provided in the privacy policy is shorter, a person may not be fully informed, but if the full information is provided it can become too long to reasonably expect a person to fully read and understand it) and the consequent need to craft more accessible and understandable privacy policies/terms of service. Toward this end we propose that the OPC undertake to develop a model privacy policy/terms of service.
But while improving informed consent is a necessary step towards achieving the overall policy goals of protecting privacy, it is by no means a complete solution, so we also discuss further accountability and regulatory measures that will supplement making privacy policies more understandable.
The submission argues that consumers should not be penalized for expressing their privacy preferences in a way that withholds consent.
We also propose that data generated from Internet of Things (IoT) applications should be presumed to be sensitive and also that IoT generated data be deemed to be “personal information” even if it has been allegedly depersonalized. This is due to the highly increased risk of repersonalization, and the ability of powerful algorithms to make sensitive inferences from otherwise insensitive information.
We will conclude with a proposal for several textual revisions to PIPEDA Principle 4.
The full submission is available in the following language(s):
Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.
- Date modified: