Law Publications

Title

Submission to the Office of the Privacy Commissioner of Canada: Consultation on Consent and Privacy

Document Type

Report

Publication Date

8-2016

Abstract

The current consent model is inadequate to protect the legitimate privacy interests of individuals in a time of increased technological complexity. Since many of the historical conditions and assumptions underlying the adoption of the current consent model have become outdated, this submission argues that measures to strengthen consent need to be taken to ensure that it is meaningful.

The submission rejects the argument that consent requirements should be relaxed, as this would be detrimental to the fundamental privacy rights of individuals and it would fail to achieve the goals of PIPEDA. The PIPEDA framework is based on a set of balancing principles, and a purposive approach should be taken in re-calibrated these principles from time to time. Instead of relaxing consent requirements, the consent model needs to be strengthened and supplemented with other regulatory measures.

We propose to enhance informed consent by making privacy policies/terms of service more understandable and giving users and consumers better ways to understand and express their privacy preferences. We recognize a troubling paradox of consent (if the information provided in the privacy policy is shorter, a person may not be fully informed, but if the full information is provided it can become too long to reasonably expect a person to fully read and understand it) and the consequent need to craft more accessible and understandable privacy policies/terms of service. Toward this end we propose that the OPC undertake to develop a model privacy policy/terms of service.

But while improving informed consent is a necessary step towards achieving the overall policy goals of protecting privacy, it is by no means a complete solution, so we also discuss further accountability and regulatory measures that will supplement making privacy policies more understandable.

The submission argues that consumers should not be penalized for expressing their privacy preferences in a way that withholds consent.

We also propose that data generated from Internet of Things (IoT) applications should be presumed to be sensitive and also that IoT generated data be deemed to be “personal information” even if it has been allegedly depersonalized. This is due to the highly increased risk of repersonalization, and the ability of powerful algorithms to make sensitive inferences from otherwise insensitive information.

We will conclude with a proposal for several textual revisions to PIPEDA Principle 4.

Notes

This research was supported by a grant from the Foundation for Legal Research with additional support from the University of Western Ontario Faculty of Law.This report will be accompanied by a companion paper "The Internet of Things: Implications for Consumer Privacy under Canadian Law” (forthcoming)

COinS