What does consent look like in the 21st century? Canada’s privacy commissioner calls for public input

Canada’s privacy watchdog announced today that his office is seeking public input on the issue of consent in the digital age. Daniel Therrien, Privacy Commissioner of Canada, has invited submissions from groups and individuals alike — specifically mentioning IT specialists and educators — in a speech made this morning at the International Association of Privacy Professionals conference in Toronto.

Therrien said that mobile apps, smart devices, wearable technology, and the verbose privacy policies of the services we use every day are creating new challenges for the current consent model in the law. The Personal Information and Electronic Documents Act (PIPEDA) that created that model was introduced before smartphones, cloud computing, and the social networking boom, he noted.

“Gone are the days of routine, predictable, and transparent one-on-one interactions with companies,” reads the text of Therrien’s speech. “It is no longer entirely clear who is processing our data and for what purposes.”

Consumers are being saddled with an overwhelming amount of legal text when making a choice about whether to share their personal information, the commissioner says. It’s time to update how consent can be collected from Canadians under the law, and the commissioner’s office has released a discussion document outlining some options as a starting point.

Also in his speech, Therrien made an appeal to consider giving his office more authority to proactively enforce privacy legislation. Most other countries allow privacy regulators to issue binding orders to impose financial sanctions against organizations, he says, so why not Canada?

Therrien also put forward some possible solutions or alternatives to the consent model:

  • Giving consumers the ability to manage privacy preferences across various services, providing them with more information, and requiring that software is designed to protect privacy. Potentially, a third-party website could be used to create a privacy profile for consumers and then other apps and services would be vetted based on the user’s desired settings.
  • In Europe, data processing without consent is allowed so long as it’s done for legitimate business purposes and doesn’t intrude on the rights of the individual. Organizations are expected to conduct a balancing test of their interests vs. that of the individual. Canada could take this approach, or define legitimate interests up front first, so it would be very clear when individual information could be used without consent.
  • There could be “no-go zones” that prohibit the collection, use or disclosure of personal information in certain circumstances. Examples of no-go zones could include tracking of children’s activities online.

Canadian businesses recently learned a lot about collecting consent from customers – and being able to prove it – when Canada’s Anti-Spam Legislation went into effect, requiring businesses have express or implied consent from those that they choose to email. It’s not clear how a PIPEDA rewrite would affect CASL, as the Privacy Commissioner is just one of several regulatory bodies involved in CASL and the CRTC has been the primary enforcement body.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Brian Jackson
Brian Jacksonhttp://www.itbusiness.ca
Editorial director of IT World Canada. Covering technology as it applies to business users. Multiple COPA award winner and now judge. Paddles a canoe as much as possible.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.