Canada: Parliamentary Committee Recommends Substantial Revisions To PIPEDA – Part 2 – Consent

As reported in our recent post, on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee's Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, ("GDPR") which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee's findings set out in Part 2 of the Report, which addresses the issues of "meaningful consent" and the enhancement of the consent model, exceptions to the rule of consent, and data portability.

The other posts in this series are:

Part I – Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ "Right to be Forgotten"

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

Consent

The concept of consent underpins the entire framework of PIPEDA. Essentially a contract-type model, this approach envisions an enlightened user who freely trades his or her personal information in exchange for services. The premise is that the best protection for personal information is therefore to create the conditions in which individuals are free to use their personal information as they wish. This ethos is stated in PIPEDA 's Principle 3 as "The knowledge and consent of the individual required for the collection, use and disclosure of personal information, except where inappropriate." Further sub-principles articulate other aspects of consent, such as the necessary processes and timing in obtaining consent, types of consent, and how consent is to be made meaningful.

However, this consent model is under pressure from online technologies. The Report acknowledges this and begins by setting out the Office of the Privacy Commissioner of Canada's ("OPC") concern that innovation in information technologies has added significant complexity to online interactions and resulted in more ways to use information. As result, few individuals take the time to inform themselves of the conditions of use of their personal information. Compounding the problem, noted some witnesses, is that the privacy policies meant to inform individuals are often unreadable or too vague and consent obtained is illusory.

Notwithstanding the problems with the current consent model, most witnesses supported its continued use, albeit in modified form to address the current shortcomings. Many supported enhancements to implicit consent, including "deemed" consent when the risk of harm is low. Other witnesses cautioned against this approach, noting that if is often difficult to evaluate risk and potential harm beforehand.

Other witnesses supported implementing measures that would make consent more meaningful.

Enhancements to Consent

The overall recommendation of the Committee was ultimately that while consent should remain the core element of the privacy regime, it should be enhanced and clarified by additional means. The Report explores four areas in which the consent model could be enhanced and in some cases makes specific recommendations:

  1. Privacy policies. Many witnesses felt that current privacy policies could be dramatically improved, largely in terms of readability and usability. While offering some suggestions on what should be included in a privacy policy, the OPC was of the view that "as a regulatory body, [it] does not consider that it has a role to play in drafting templates for privacy policies." No specific recommendation was made on this issue.
  2. Opt-in Consent. In a notable shift, the Committee also recommended that opt-in consent be the default for the use of personal information for secondary purposes, with an eye to making it the default for all purposes. This approach to consent would mean organizations would have to have a clear understanding of their primary purpose for collecting personal information, and then determine what purposes are secondary (typically, marketing purposes would be secondary). These secondary purposes would then require express opt-in consent.
  3. Algorithmic Transparency. "Algorithmic transparency" is shorthand for "understanding how automated decisions are made". In a world where enormous data sets are readily available to organisations, much of this information is processed and analysed with the end goal of refining or supplementing decisions about individuals (e.g. credit risk). When combined with artificial intelligence, the decision-making can be fully automated. An ongoing concern with the use algorithms such as these that use personal information is that they will perpetuate prejudices or discriminatory practices that exist in society. The Committee was of the view that truly informed consent requires the implementation of measures to improve algorithmic transparency and therefore recommended that the Government of Canada consider implementing such measures.
  4. Revocation of Consent. The Committee acknowledged that in most cases, when a person revokes their consent for something they themselves have posted publically, such revocation results in the immediate deletion of that content from the platform. However, the Committee commented that this had little effect on those who had copied and/or distributed the content to others. In other jurisdictions, this has meant a positive obligation on organizations to pass along the revocation of consent. The Committee therefore recommended that the Government of Canada study the issue of revocation of consent and clarify the form of revocation required and its legal and practical implications.

Exceptions to Consent

While consent underpins PIPEDA, the legislation also recognizes situations in which consent should not be required.

  1. Publically Available Information. Currently, certain forms of "publically available information" identified in the Regulations to PIPEDA are sensibly excluded from consent, but not having been updated, they quaintly refer to information found in a public "telephone directory" and other similar mechanisms. While recognizing the need to update the Regulation to take account of the online world, the Committee expressed some reservations that there may be a misconception that merely because something is accessible online, there is no privacy interest in it. The Committee recommended that the Government of Canada modernize the Regulation in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulation technologically neutral.
  2. Legitimate Business Interests. Currently, PIPEDA prohibits organisations from requiring individuals consent to the collection, use or disclosure of personal information beyond that required to fulfil the explicitly specified and legitimate purposes, and such collection, use and disclosure must be that which a reasonable person would consider appropriate in the circumstances. A number of witnesses called for PIPEDA to be amended to recognize a new exemption from consent that is based on "legitimate business interests", premised on the concept in the European model. This exemption from consent would permit organizations to process personal information without express consent for obvious purposes reasonably expected by a customer. A number of witnesses pointed out that this would help streamline privacy notices by shortening them and providing information about the processing activities that consumers really care about. The OPC has resisted the introduction of the exemption from consent for legitimate business issues, and the Report reflects the OPC's concerns that the category is too broad and is at high risk of abuse by organisations. The Committee recommended that the Government of Canada consider amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests.
  3. Depersonalization. Many organizations incorrectly believe that de-identifying personal information removes it from the ambit of the Act. However, in many cases, when not sufficiently de-identified or when combined with other data, the data may in fact be about an" identifiable individual". This is especially true in an era of enormous data sets and significant computing power. In its submissions to the Committee, while the OPC recognized that de-identification was a way to reduce risk, it expressed doubt that data could ever be truly de-identified without any residual risk of re-identification. This is a significant issue requiring resolution as increasing numbers of data-driven technologies and companies emerge. To that end, the Committee recommended that the Government of Canada examine the best ways of protecting depersonalized data.
  4. Financial Crime. PIPEDA currently permits disclosure without consent to another organization for the purposes of investigating "fraud". However, witnesses in the financial services industry identified the need to be able to make similar disclosures for other non-fraud criminal activities such as theft of data, money laundering, terrorist financing and so on. The Committee therefore recommended broadening PIPEDA to replace "fraud" with "financial crime".

Data Portability

Data portability refers to the right of an individual to request information about them held by an organization and to receive it in a useable and portable form, typically machine-readable. One of the purposes of the right of data portability is to promote competition among organizations – if customers can take their account data, or transaction data, or other data with them when they go, they may be more inclined to leave, which may encourage companies to try harder to compete for their business. It is also premised on the understanding that personal information ought to "belong" to the individual.

Data portability underlies Open Banking in the UK and PSD2 in the EU. Open Banking is in its early days in Canada. Finance Canada released its second consultation paper concerning the review of the federal financial sector framework, in connection with the 2019 Bank Act review. The consultation paper stated that the Department of Finance Canada would be examining the merits of open banking, including consideration of how other jurisdictions are implementing open banking and the potential benefits and risks for Canadians. The Competition Bureau also raised data issues in its recent Fintech paper, and the open banking received mention in the recent federal budget.

For open banking to be realized in Canada, PIPEDA's recognition of data portability will likely be a necessary precondition. The Committee recommended that PIPEDA be amended to recognize this right.

Key Take-Aways

While consent continues to be a bedrock principle in privacy, meaningful consent is becoming increasingly difficult to obtain. Organizations will need to pay close attention to the developments in the Canadian consent model as moves toward opt-in consent, if adopted, will have a significant impact on business processes and will impact the go-forward ability to use certain personal information,.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Borden Ladner Gervais LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Borden Ladner Gervais LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions