Submission to OPC on Privacy and Consent

Here is my Submission (with co-authors Scott Tremblay and Daniel Weiss) to the Office of the Privacy Commissioner for their consultation on Privacy and Consent under the Personal Information Protection and Electronic Documents Act.

Summary of Submission of Samuel Trosow,  Scott Tremblay and Daniel Weiss

The current consent model is inadequate to protect the legitimate privacy interests of individuals in a time of increased technological complexity. Since many of the historical conditions and assumptions underlying the adoption of the current consent model have become outdated, this submission argues that measures to strengthen consent need to be taken to ensure that it is meaningful.

The submission rejects the argument that consent requirements should be relaxed, as this would be detrimental to the fundamental privacy rights of individuals and it would fail to achieve the goals of PIPEDA. The PIPEDA framework is based on a set of balancing principles, and a purposive approach should be taken in re-calibrated these principles from time to time.  Instead of relaxing consent requirements, the consent model needs to be strengthened and supplemented with other regulatory measures.

We propose to enhance informed consent by making privacy policies/terms of service more understandable and giving users and consumers better ways to understand and express their privacy preferences. We recognize a troubling paradox of consent (if the information provided in the privacy policy is shorter, a person may not be fully informed, but if the full information is provided it can become too long to reasonably expect a person to fully read and understand it) and the consequent need to craft more accessible and understandable privacy policies/terms of service.  Toward this end we propose that the OPC undertake to develop a model privacy policy/terms of service.

But while improving informed consent is a necessary step towards achieving the overall policy goals of protecting privacy, it is by no means a complete solution, so we also discuss further accountability and regulatory measures that will supplement making privacy policies more understandable.

The submission argues that consumers should not be penalized for expressing their privacy preferences in a way that withholds consent.

We also propose that data generated from Internet of Things (IoT) applications should be presumed to be sensitive and also that IoT generated data be deemed to be “personal information” even if it has been allegedly depersonalized. This is due to the highly increased risk of repersonalization, and the ability of powerful algorithms to make sensitive inferences from otherwise insensitive information.

We will conclude with a proposal for several textual revisions to PIPEDA Principle 4.

Full text of Submission

Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act https://www.priv.gc.ca/information/research-recherche/2016/consent_201605_e.asp

Full text of Personal Information protection and Electronic Documents Act http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html

 

 

 

%d bloggers like this: