The Office of the Privacy Commissioner (OPC) has recently
published a discussion paper entitled "Consent and privacy" exploring potential
enhancements to consent under PIPEDA.The OPC also launched a Consultation and Call for Submissions
requesting input on its consent paper,asking whether legislative
changes are required, and requesting comments on solutions which
would be helpful in addressing consent challenges.
The paper discusses how, at the time that the FIPPs (Fair
Information Privacy Practices) were initially drafted in the early
1970s, their main purpose was to address specific concerns
pertaining to computerized databases. The best way to deal with
these data protection issues was deemed to be having individuals
keep control of their personal information. Forty years later, that
self-concept is still one of the most predominant theories of
privacy and the basis for data protection laws around the world,
including PIPEDA. The paper explains how the "notice and
choice" approach is no longer realistic: Individuals are
overloaded with information in quantities that they cannot
realistically be expected to process or comprehend. Moreover,
providing notice and choice in the context of new technologies can
be challenging due to the ubiquity of devices, persistence of
collection, and practical obstacles for providing information, if
devices lack displays or explicit user interfaces.
Gratton argues that before amending PIPEDA on consent, one
should be careful to make sure that the amendment will not be
detrimental or problematic as soon as new technologies emerge. She
believes that the wording pertaining to obtaining consent under
PIPEDA is flexible enough to accommodate new types of technologies
and business models. Another argument against amending PIPEDA
pertains to the fact that social norms in connection with any new
technology or business practice may not yet be established.
The downside of the flexibility surrounding the notion of
consent is that it creates uncertainty. Policy guidance on
enhancing transparency and obtaining valid consent will therefore
be increasingly necessary to address some of this uncertainty and
allow organizations to innovate without taking major legal risks.
Businesses may well benefit from more OPC guidance when new types
of technologies or business models make their way.
The paper discusses that it is always less troubling to provide
a solution which will be incorporated within the current legal
framework, such as a proposed interpretation, than to propose a new
amendment to the law. The notion of "consent" under
PIPEDA is already quite flexible and is technology-neutral,
allowing for this notion to be interpreted with the proper balance
between the protection of privacy and the need for organizations to
collect, use or disclose personal information for the purposes that
the reasonable person would consider appropriate in the
circumstances. Gratton articulates the view that any interpretation
of the notion of consent should consider any impact on innovation,
as well as certain new ethical issues that may, to a certain
extent, go beyond the current application of PIPEDA.
She also raises that an interpretation which includes a
risk-based approach may also allow organizations to streamline
their communications with individuals, reducing the burden and
confusion on individual consumers. Although this new approach would
imply rethinking, to some extent, PIPEDA's current consent
model, she maintains that this approach should be further explored
in the near future.
Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U)) is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails...
The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, should be interpreted.
The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action, a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach.
The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the "EU Decision") raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).