Canada’s privacy watchdog announced today that his office is seeking public input on the issue of consent in the digital age. Daniel Therrien, Privacy Commissioner of Canada, has invited submissions from groups and individuals alike — specifically mentioning IT specialists and educators — in a speech made this morning at the International Association of Privacy Professionals conference in Toronto.
Therrien said that mobile apps, smart devices, wearable technology, and the verbose privacy policies of the services we use every day are creating new challenges for the current consent model in the law. The Personal Information and Electronic Documents Act (PIPEDA) that created that model was introduced before smartphones, cloud computing, and the social networking boom, he noted.
“Gone are the days of routine, predictable, and transparent one-on-one interactions with companies,” reads the text of Therrien’s speech. “It is no longer entirely clear who is processing our data and for what purposes.”
Consumers are being saddled with an overwhelming amount of legal text when making a choice about whether to share their personal information, the commissioner says. It’s time to update how consent can be collected from Canadians under the law, and the commissioner’s office has released a discussion document outlining some options as a starting point.
Also in his speech, Therrien made an appeal to consider giving his office more authority to proactively enforce privacy legislation. Most other countries allow privacy regulators to issue binding orders to impose financial sanctions against organizations, he says, so why not Canada?
Therrien also put forward some possible solutions or alternatives to the consent model:
- Giving consumers the ability to manage privacy preferences across various services, providing them with more information, and requiring that software is designed to protect privacy. Potentially, a third-party website could be used to create a privacy profile for consumers and then other apps and services would be vetted based on the user’s desired settings.
- In Europe, data processing without consent is allowed so long as it’s done for legitimate business purposes and doesn’t intrude on the rights of the individual. Organizations are expected to conduct a balancing test of their interests vs. that of the individual. Canada could take this approach, or define legitimate interests up front first, so it would be very clear when individual information could be used without consent.
- There could be “no-go zones” that prohibit the collection, use or disclosure of personal information in certain circumstances. Examples of no-go zones could include tracking of children’s activities online.
Canadian businesses recently learned a lot about collecting consent from customers – and being able to prove it – when Canada’s Anti-Spam Legislation went into effect, requiring businesses have express or implied consent from those that they choose to email. It’s not clear how a PIPEDA rewrite would affect CASL, as the Privacy Commissioner is just one of several regulatory bodies involved in CASL and the CRTC has been the primary enforcement body.