Submission to the OPC’s Consultation on Consent under PIPEDA (OAIC)

Timothy Pilgrim, PSM (Acting Australian Information Commissioner, Office of the Australian Information Commissioner)

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

---

Summary

I welcome the opportunity to comment on the Office of the Privacy Commissioner of Canada’s (OPCC) Discussion Paper (the discussion paper) exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act (PIPEDA).

The discussion paper outlines a range of challenges and complex issues associated with the consent model. The consideration of these issues is timely, as my office, the Office of the Australian Information Commissioner (OAIC) is continually reflecting on the many opportunities presented by big data, the Internet of Things and the evolution to a continuously connected world, and how these intersect with individuals’ expectations of privacy. The significant technological developments that have made big data practices and Internet of Things infrastructure a part of everyday life, demand that careful consideration be given to the way individuals exercise choice and control over their personal information – particularly, how individuals can be given notice of, and exercise meaningful consent to, an entity’s often complex information handling practices.

In that context, this submission addresses consultation question 1, ‘of the solutions identified in this paper, which one(s) have the most merit and why?’, by outlining:

• steps taken by the OAIC to ensure notice given, and consent obtained, under the Australian Privacy Act 1988 (Cth) (the Privacy Act), are meaningful
• the OAIC’s focus on other measures to enhance privacy that complement transparency, notice and consent, such as de-identifying personal information and ensuring regulated entities implement good privacy governance mechanisms.

The submission also addresses consultation question 3, ‘what roles, responsibilities and authorities should the parties responsible for promoting the development and adoption of solutions have to produce the most effective system?’, by outlining the OAIC’s regulatory powers under the Privacy Act, and how these are exercised in practice.

In my view, while facilitating individual choice and control through notice and consent remains an appropriate foundation for protecting privacy under Australian law, working closely with regulated entities to foster a culture of good privacy governance will complement and strengthen this model of privacy protection. The OAIC would also welcome the opportunity to engage with the OPCC in the future about other emerging models for privacy regulation that are intended to enhance privacy protections.

The full submission is available in the following language(s):

English (PDF document)

Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.