Submission to the OPC’s Consultation on Consent under PIPEDA (Consumers Council of Canada)

Consumers Council of Canada

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Overview

The exponential growth in the amount of data that is created and collected in electronic form from an increasing number of sources makes control difficult from a data privacy standpoint. Information will continue to be generated, captured and used for both legitimate and questionable purposes. It also will be increasingly difficult to control the uses of personal information using traditional methods. Technology controls will need to be implemented to assist in the management of personal information. Technical solutions will need to be considered for use in testing for compliance.

Privacy concerns have increased considerably with the rapid expansion of the various technologies. Developments include the ability to capture background information without the explicit knowledge of the data subject (e.g. through the Internet of Things). Data is available in large and growing volumes, and the capability of taking these large datasets (e.g. ‘big data’) and interpreting information trends is being enhanced through the use of advanced tools to analyze data in sophisticated ways. Also, and as correctly pointed out in the OPC paper, the increasing ability to cross-reference data from numerous sources permits the ability to re-identify an individual’s profile, even if the information has previously been “de-identified”.

Recognizing the many complexities and interrelationships of today’s data processing environment, and the increased potential for “data leakage”, it will be increasingly difficult to manage personal information effectively, let alone to protect it from unauthorized or unethical uses. The processing environment will also continue to expand rapidly with the increases in the capture of information, coupled with new innovations surrounding the potential uses of the information. The OPC paper also correctly raises the difficulties associated with presenting information to users in a transparent and understandable way about how their information will be processed and safeguarded, so that they are able to make educated decisions regarding how or whether they wish to participate in an environment where their personal information may end up being shared or used in ways that make them uncomfortable.

Consent and Alternative Privacy Models

Regulatory bodies need to continue to define and classify what constitutes personal information and how it can be used. However, individual consent will need to remain as a cornerstone of any privacy program. The limitations associated with the existing privacy policy and consent models are clearly laid out in the OPC paper. Even the most diligent and educated user would not be able to read all of the privacy policies that impact them, nor would they be able to fully understand the implications of accepting the terms and conditions associated with a particular application.

Even if privacy policies are made more transparent, understandable and specific, new methods for dealing with this problem are required.

The Role of Technology in the Solution

Of the solutions suggested, the use of technology specific safeguards would seem to be an inevitable part of the solution, if only because many of the problems that have been created have been through the rapid expansion of technology capabilities. As reported in the OPC paper, “The White House Report entitled Big Data and Privacy: A Technological Perspective suggests that responsibility for using personal data in accordance with the user’s preferences should rest with the organization, possibly assisted by a mutually accepted intermediary. Individuals would associate themselves with a standard set of privacy preference profiles offered by third parties. The third party websites would then vet apps and services based on the user’s privacy profile.”

This would seem to be a reasonable approach. The current consent model might be enhanced or replaced through the use of a single comprehensive electronic approach (e.g. an automated questionnaire or user dashboard) used to capture and establish a user’s privacy preferences, including the ways in which they would permit sharing of their personal information. This could help to highlight the extent to which a user would wish to balance the risks associated with those uses against the possible benefits of sharing.

The results of this automated approach might then be used to establish a reasonably comprehensive user privacy profile that sets out preferences to be used for the digital tagging of personal information that is accessed by the many applications that they use, or that are used by others (e.g. organizations and government). Each user might have an individual key identifier to apply when consent is requested, in order to use their profile to establish the boundaries surrounding the use of their private information. The questionnaire could be revisited periodically and changed, if desired, to either grant or rescind permissions associated with the use of the person’s information. If information was properly tagged, this could then thread back through the various systems affected to change privacy settings prospectively. However, the retroactive changing of a privacy setting (e.g. the withdrawal of consent) will be an increasing challenge where initial privacy settings have permitted the information to be shared. In today’s digital economy, such information is likely to be proliferated too rapidly through different systems, and it may be impossible to “put the genie back into the bottle” once the information is out.

The OPC paper included the possibility of having management portals or dashboards that include privacy settings, so consumers can set up and revisit their preferences. This is a variation on the questionnaire approach, which has merit and may be an evolutionary step in the process.

Compliance and Enforcement

It is highly unlikely that self-policing of organizations regarding compliance with privacy policies and regulations will work effectively without a strong oversight or governance function being established. A government organization such as the OPC will need to play a critical and expanding role in enforcement. Its current role may need to be expanded to enable this, especially given the rapidly expanding use of personal information that needs protection.

However, compliance programs, such as the use of third party certification or regulated public licensing by specific functions, may be used as effective vehicles to accomplish an acceptable level of organizational compliance, as well as to establish user confidence in the overall privacy program. And individuals will need more opportunities to learn what personal information is mandated to be public information, and why it is not considered private.

The Need for Conformity with International Regulations

Canada is one of the few non-EU countries considered to ensure an adequate level of protection for personal information “by reason of its domestic law or of the international commitments it has entered into”. This is extremely valuable in permitting the relatively free flow of personal information between Canada and EU nations when deemed appropriate.

Whatever solutions are considered, it will be extremely important for these to conform to fundamental EU requirements. This may limit the selection of certain of the possible solutions suggested in the OPC paper, but was not identified as an important consideration.