PIPEDA’s consent regime still working the way it should

  • January 22, 2020

Canada’s overall privacy regime might have problems but, to paraphrase Jay Z, PIPEDA’s knowledge-and--consent model ain’t one.

That was the CBA’s Privacy and Access Law Section’s response to a consultation document released by Innovation, Science and Economic Development Canada titled Strengthening Privacy for the Digital Age, a reaction to the fear that increased volume and complexity of data flows could be leaving people without meaningful control over their personal information.

“In general, our members’ experience is that PIPEDA has worked well and is achieving its intended purpose,” the Section wrote. “If it is determined that there are new challenges that require amendments to the legislation, we suggest that they be approached cautiously.”

While the Section has long advocated for changes to the Privacy Act, which it argues has failed to keep up with the times, it says PIPEDA’s knowledge-and-consent regime avoids that problem by being technology-neutral, which allows privacy practices to evolve to reflect changes in technology and business practices.

“The PIPEDA consent model, supported by the broader legal framework, continues to be robust in protecting the privacy of Canadians – including vulnerable groups – in the face of emerging technologies and business models that increasingly rely on the collection of personal information,” the Section writes.

“We do not agree with those who argue that doing away with the knowledge-and-consent regime in PIPEDA will improve privacy rights for individuals. Doing that would result in more reliance on the accountability principle, when accountability itself is a standard that many businesses are struggling to achieve.”

Having said that, however, the Section acknowledges that there is room for improvement and makes a number of recommendations for doing so, including addressing what it describes as “key gaps” in the legislation, i.e., the fact that political parties aren’t subject to the same privacy laws as private and public organizations; and the lack of a bright-line test to determine whether a charitable activity is commercial in nature, and thus within PIPEDA’s scope.

The consent regime was just one area touched on in the consultation document, others included innovation, enforcement and oversight, and areas of ongoing assessment.

Recommendations put forward by the Section include bolstering PIPEDA’s consent regime through the provision of additional information to individuals. It says ISED should work with other sectors to consider data mobility, and recommends that “any right to data mobility be conditional on the implementation of sector-compatible frameworks and infrastructure that permit interoperability and secure data flow.”

Other recommendations include:

  • That the appropriateness of the use of a trusted data exchange be assessed by whether and to what extent the data is de-identified, as well as criteria such as the sensitivity of the information and controls in place to prevent misuse
  • That the Standards Council of Canada be considered when determining accountability for a certification regime
  • That there not be any major shift in the current roles and functions of the actors that make up the PIPEDA enforcement regime, and that the Office of the Privacy Commissioner be encouraged to use existing powers and tools.