MT>3
  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact

Countdown to GDPR

30/4/2018

 

From Cyberlex: Parliamentary Committee Recommends Substantial Revisions to PIPEDA - Part 2 – Consent

(See the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at McCarthy Tétrault's Cyberlex Blog: Parliamentary Committee Recommends Substantial Revisions to PIPEDA – Part 2 - Consent)

As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee’s findings set out in Part 2 of the Report, which addresses the issues of “meaningful consent” and the enhancement of the consent model, exceptions to the rule of consent, and data portability.

The other posts in this series are:

Part 1 – Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ “Right to be Forgotten”

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

Consent

The concept of consent underpins the entire framework of PIPEDA. Essentially a contract-type model, this approach envisions an enlightened user who freely trades his or her personal information in exchange for services. The premise is that the best protection for personal information is therefore to create the conditions in which individuals are free to use their personal information as they wish. This ethos is stated in PIPEDA ‘s Principle 3 as “The knowledge and consent of the individual required for the collection, use and disclosure of personal information, except where inappropriate.” Further sub-principles articulate other aspects of consent, such as the necessary processes and timing in obtaining consent, types of consent, and how consent is to be made meaningful.

However, this consent model is under pressure from online technologies. The Report acknowledges this and begins by setting out the Office of the Privacy Commissioner of Canada’s (“OPC”) concern that innovation in information technologies has added significant complexity to online interactions and resulted in more ways to use information. As result, few individuals take the time to inform themselves of the conditions of use of their personal information. Compounding the problem, noted some witnesses, is that the privacy policies meant to inform individuals are often unreadable or too vague and consent obtained is illusory.

Notwithstanding the problems with the current consent model, most witnesses supported its continued use, albeit in modified form to address the current shortcomings. Many supported enhancements to implicit consent, including “deemed” consent when the risk of harm is low. Other witnesses cautioned against this approach, noting that if is often difficult to evaluate risk and potential harm beforehand.

Other witnesses supported implementing measures that would make consent more meaningful.

Enhancements to Consent

The overall recommendation of the Committee was ultimately that while consent should remain the core element of the privacy regime, it should be enhanced and clarified by additional means. The Report explores four areas in which the consent model could be enhanced and in some cases makes specific recommendations:

  1. 1. Privacy policies. Many witnesses felt that current privacy policies could be dramatically improved, largely in terms of readability and usability. While offering some suggestions on what should be included in a privacy policy, the OPC was of the view that “as a regulatory body, [it] does not consider that it has a role to play in drafting templates for privacy policies.” No specific recommendation was made on this issue.
  2. 2. Opt-in Consent. In a notable shift, the Committee also recommended that opt-in consent be the default for the use of personal information for secondary purposes, with an eye to making it the default for all purposes. This approach to consent would mean organizations would have to have a clear understanding of their primary purpose for collecting personal information, and then determine what purposes are secondary (typically, marketing purposes would be secondary). These secondary purposes would then require express opt-in consent.
  3. 3. Algorithmic Transparency. “Algorithmic transparency” is shorthand for “understanding how automated decisions are made”. In a world where enormous data sets are readily available to organisations, much of this information is processed and analysed with the end goal of refining or supplementing decisions about individuals (e.g. credit risk). When combined with artificial intelligence, the decision-making can be fully automated. An ongoing concern with the use algorithms such as these that use personal information is that they will perpetuate prejudices or discriminatory practices that exist in society. The Committee was of the view that truly informed consent requires the implementation of measures to improve algorithmic transparency and therefore recommended that the Government of Canada consider implementing such measures.
  4. 4. Revocation of Consent. The Committee acknowledged that in most cases, when a person revokes their consent for something they themselves have posted publically, such revocation results in the immediate deletion of that content from the platform. However, the Committee commented that this had little effect on those who had copied and/or distributed the content to others. In other jurisdictions, this has meant a positive obligation on organizations to pass along the revocation of consent. The Committee therefore recommended that the Government of Canada study the issue of revocation of consent and clarify the form of revocation required and its legal and practical implications.

Exceptions to Consent

While consent underpins PIPEDA, the legislation also recognizes situations in which consent should not be required.

  • 1. Publically Available Information.  Currently, certain forms of “publically available information” identified in the Regulations to PIPEDA are sensibly excluded from consent, but not having been updated, they quaintly refer to information found in a public “telephone directory” and other similar mechanisms. While recognizing the need to update the Regulation to take account of the online world, the Committee expressed some reservations that there may be a misconception that merely because something is accessible online, there is no privacy interest in it. The Committee recommended that the Government of Canada modernize the Regulation in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulation technologically neutral.
  • 2. Legitimate Business Interests. Currently, PIPEDA prohibits organisations from requiring individuals consent to the collection, use or disclosure of personal information beyond that required to fulfil the explicitly specified and legitimate purposes, and such collection, use and disclosure must be that which a reasonable person would consider appropriate in the circumstances. A number of witnesses called for PIPEDA to be amended to recognize a new exemption from consent that is based on “legitimate business interests”, premised on the concept in the European model. This exemption from consent would permit organizations to process personal information without express consent for obvious purposes reasonably expected by a customer. A number of witnesses pointed out that this would help streamline privacy notices by shortening them and providing information about the processing activities that consumers really care about. The OPC has resisted the introduction of the exemption from consent for legitimate business issues, and the Report reflects the OPC’s concerns that the category is too broad and is at high risk of  abuse by organisations. The Committee recommended that the Government of Canada consider amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests.
  • 3. Depersonalization. Many organizations incorrectly believe that de-identifying personal information removes it from the ambit of the Act. However, in many cases, when not sufficiently de-identified or when combined with other data, the data may in fact be about an” identifiable individual”. This is especially true in an era of enormous data sets and significant computing power. In its submissions to the Committee, while the OPC recognized that de-identification was a way to reduce risk, it expressed doubt that data could ever be truly de-identified without any residual risk of re-identification.  This is a significant issue requiring resolution as increasing numbers of data-driven technologies and companies emerge. To that end, the Committee recommended that the Government of Canada  examine the best ways of protecting depersonalized data.
  • 4. Financial Crime. PIPEDA currently permits disclosure without consent to another organization for the purposes of investigating “fraud”. However, witnesses in the financial services industry identified the need to be able to make similar disclosures for other non-fraud criminal activities such as theft of data, money laundering, terrorist financing and so on. The Committee therefore recommended broadening PIPEDA to replace “fraud” with “financial crime”.
  • Data Portability

    Data portability refers to the right of an individual to request information about them held by an organization and to receive it in a useable and portable form, typically machine-readable. One of the purposes of the right of data portability is to promote competition among organizations – if customers can take their account data, or transaction data, or other data with them when they go, they may be more inclined to leave, which may encourage companies to try harder to compete for their business. It is also premised on the understanding that personal information ought to “belong” to the individual.

    Data portability underlies Open Banking in the UK and PSD2 in the EU. Open Banking is in its early days in Canada. Finance Canada released its second consultation paper concerning the review of the federal financial sector framework, in connection with the 2019 Bank Act review. The consultation paper stated that the Department of Finance Canada would be examining the merits of open banking, including consideration of how other jurisdictions are implementing open banking and the potential benefits and risks for Canadians. The Competition Bureau also raised data issues in its recent Fintech paper, and the open banking received mention in the recent federal budget.

    For open banking to be realized in Canada, PIPEDA’s recognition of data portability will likely be a necessary precondition. The Committee recommended that PIPEDA be amended to recognize this right.

    Key Take-Aways

    While consent continues to be a bedrock principle in privacy, meaningful consent is becoming increasingly difficult to obtain. Organizations will need to pay close attention to the developments in the Canadian consent model as moves toward opt-in consent, if adopted, will have a significant impact on business processes and will impact the go-forward ability to use certain personal information.


Comments are closed.

    Categories

    All
    Artificial Intelligence
    Blockchain
    Cyber Security
    E Discovery
    Information Governance
    Legaltech
    Privacy
    Social Media
    Technology


    Archives

    November 2020
    October 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    January 2020
    November 2019
    October 2019
    September 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    May 2018
    April 2018
    March 2018
    September 2017
    August 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    June 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    March 2010
    February 2010
    January 2010
    October 2009
    September 2009
    August 2009
    December 2008
    March 2008
    November 2007
    October 2007

130 Adelaide Street West Suite 2020
Toronto, Ontario M5H 3P5
​ ​
t: 416-642-2220  
tf: 1-877-642-2220  
f: 416-642-9021

Contact MT>3
@MT>3 2018. All Rights Reserved
Picture

Privacy Policy and Terms of Use

  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact