Here is my Submission (with co-authors Scott Tremblay and Daniel Weiss) to the Office of the Privacy Commissioner for their consultation on Privacy and Consent under the Personal Information Protection and Electronic Documents Act.
Summary of Submission of Samuel Trosow, Scott Tremblay and Daniel Weiss
The current consent model is inadequate to protect the legitimate privacy interests of individuals in a time of increased technological complexity. Since many of the historical conditions and assumptions underlying the adoption of the current consent model have become outdated, this submission argues that measures to strengthen consent need to be taken to ensure that it is meaningful.
The submission rejects the argument that consent requirements should be relaxed, as this would be detrimental to the fundamental privacy rights of individuals and it would fail to achieve the goals of PIPEDA. The PIPEDA framework is based on a set of balancing principles, and a purposive approach should be taken in re-calibrated these principles from time to time. Instead of relaxing consent requirements, the consent model needs to be strengthened and supplemented with other regulatory measures.
But while improving informed consent is a necessary step towards achieving the overall policy goals of protecting privacy, it is by no means a complete solution, so we also discuss further accountability and regulatory measures that will supplement making privacy policies more understandable.
The submission argues that consumers should not be penalized for expressing their privacy preferences in a way that withholds consent.
We also propose that data generated from Internet of Things (IoT) applications should be presumed to be sensitive and also that IoT generated data be deemed to be “personal information” even if it has been allegedly depersonalized. This is due to the highly increased risk of repersonalization, and the ability of powerful algorithms to make sensitive inferences from otherwise insensitive information.
We will conclude with a proposal for several textual revisions to PIPEDA Principle 4.
Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act https://www.priv.gc.ca/information/research-recherche/2016/consent_201605_e.asp
Full text of Personal Information protection and Electronic Documents Act http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html
This research was supported by a grant from the Foundation for Legal Research with additional support from the University of Western Ontario Faculty of Law. This report will be accompanied by a companion paper “The Internet of Things: Implications for Consumer Privacy under Canadian Law” (forthcoming)