Note: The following views are those of the authors only. Also, it is noteworthy that the bulk of the thinking and writing of this article took place prior to the release by the Office of the Privacy Commissioner of their Notice of Consultation and Call for Comments on 11 May 2016.
When the legislative framework that underpins the Personal Information Protection Electronic Documents Act, or PIPEDA, was developed more than 15 years ago, it was considered to be a remarkable achievement because it was reached in very Canadian style – through a consensus of consumer, business and government representatives. PIPEDA was developed as a framework based on 10 commonly accepted fair information principles to be used by organizations as a means to assess and apply appropriate and adequate governance of personal information collected from, and about, Canadians that would be used or disclosed in the course of their commercial activities. But PIPEDA was also an achievement because those representatives, each representing diverse constituencies and schools of thought, had the foresight to recommend that PIPEDA encompass not only the 10 principles that reflected the concepts of sensitivity and harm, openness and transparency, and knowledge and consent, but that these principles should be wrapped within a reasonableness standard. And these concepts, together with the 10 principles, should be drafted in technology-neutral language to be as broad as possible to stand the test of time.
But have they? When these concepts are examined today, we cannot ignore the significant technological shift of the past decade, which has affected the relationship between organizations and individual Canadians as more data is generated, collected, used and shared than ever before. Technology has had a significant impact on the way individuals interact with each other and with businesses, governments and other organizations, as they negotiate and participate in commercial and non-commercial activities that involve their personal information. Technology has also influenced the way businesses deliver products and services to the market, as well as how they interact with their customers.
So while technology has produced a profound shift in our personal and business interactions, has PIPEDA been able to handle the stress caused by this shift? Are the concepts foundational to PIPEDA still relevant and as valid today as they were when the law came into force in 2001?
Some feel the PIPEDA model is broken and in need of an overhaul. As Europe and Asia introduce new privacy regulation, a chorus of voices has questioned whether Canada’s privacy law is adequate and advocates for legislative reforms that would fundamentally change the existing framework. Others focus on the principle of consent and feel it is no longer relevant or meaningful in today’s data-driven world because they claim the advent of big data analytics and the Internet of Things has resulted in too much complexity and context to weigh against the outdated concepts contained in PIPEDA. Some support legislative reform because they believe the balance of informational power has shifted from individuals to organizations, as consumers and citizens feel a loss of control over their personal information and overall privacy.
However, in our view, PIPEDA still offers Canada the best starting point for protecting Canadians’ privacy during this fluid time because the principles it is built on remain relevant. Thus, perhaps a better starting point should be not how PIPEDA needs to be changed or what it should be replaced with, but how the principles of PIPEDA can be applied to the thoughtful analysis of new methods of product and service delivery, data analytics and communication. In drawing comparisons with other statutes, we must take into account the totality of the foundational concepts contained in PIPEDA, how they have been “stress-tested” and, we would argue, have stood the test of time since the law was introduced.
Transparency, knowledge and consent
While it is important to remember that privacy is about more than consent, consent is a central underpinning of PIPEDA and the law encompasses the dual notions of “knowledge and consent.” Taken together, they act as central factors for applying valid forms of consent, whether express or implied, depending on the circumstances and balanced against the concept of reasonableness – what a Canadian would consider reasonable in the circumstance.
Transparency is another key concept of PIPEDA and this concept is directly linked to knowledge. In order for an organization to be more transparent, PIPEDA requires that it must provide individuals with more information regarding the use of their personal information so individuals can make more informed choices. As transparency increases, so should knowledge, thereby further validating the consent the individual has provided (whether it be express or implied), allowing consumers to have meaningful opportunities to consent to the particular uses of their personal information based on what they consider to be reasonable in the circumstance.
Over the years the concept of transparency has not remained static and what individuals consider to be reasonable has shifted. And the law has kept pace. In numerous findings and investigations, successive Privacy Commissioners have been successful in requiring Canadian and international organizations alike to seek new ways to become more transparent by using various methods, from the more traditional privacy policies and terms of service, to privacy pages filled with FAQs and hot topics, to layered notices where users can click through to find out more, to just-in-time notices on mobile apps. And Commissioners will continue to push organizations to do more as technology continues to evolve.
The role of sensitivity and harm
It’s important to consider how the principles of PIPEDA and the concepts in the statute require organizations to do meaningful analysis of new methods of data analytics and to assess the impact on individual privacy. More specifically, we must apply the concepts of sensitivity and harm to new technologies. The most important factor in determining sensitivity of personal information is the context of the information. This contextual analysis will take into account not only the nature of the information, but details about how personal information was collected or received, where and how it will be used and the outcome produced. This will influence where things lie on the sensitivity spectrum. Directly related to sensitivity is the harm – real or perceived – that could be caused by either disclosure of the personal information or its inappropriate use. A contextual analysis is required prior to making a determination about sensitivity of data or scope of harm. These determinations must be made based on the facts of the circumstances, so organizations avoid broad statements of acceptable or unacceptable use in their privacy policies or notices. The very structure and principles of PIPEDA underpin these determinations, which are more proof that PIPEDA continues to adequately address the evolving landscape of challenges being presented by the adoption of new technologies and consumer attitudes, because it is built on solid principles rather than specific applications.
For example, while health and financial data may, at first glance, seem to be sensitive, this data can be used in a way that could make it not as sensitive as initially envisioned. In the same way, fairly routine and straightforward personal information can be sensitive in the right context. That being said, there is a general consensus that some categories of personal information or combinations of that information may be so sensitive to begin with that, more from an ethical perspective, they should be considered “no go zones” beyond their original use – but that too, by necessity, depends on context. The principle is what’s important, as is the application of that principle to new uses.
Conclusion
The spirit of the PIPEDA law is based on a balance between an individual’s right to privacy and the right of an organization to collect, use and share personal information for legitimate business purposes. This reflects the understanding of Canadians that there must be an exchange of value for information between themselves and organizations in the course of commercial and other interactions, and that sensitive information must be governed accordingly. Key to this value exchange is to ensure that organizations are transparent and enable Canadians to make informed choices about their personal information in the course of interacting with business. This transparency will resonate, as people will see the direct benefits of the value exchange and be more open to building relationships with these organizations, based on trust and a common understanding of the benefit of sharing data and personal information in a careful manner. The education of consumers will continue to play an important role in this equation, and business will have a greater role to play in assessing what is reasonable in the circumstances to make sure it evolves with consumers’ reasonable expectations.
Starting with accountability as an overarching principle (rooted in Canadian law since its inception), we must consider the reasonableness standard that applies to organizations and individuals alike; the actual limits to data collection and use; and the concepts of harm and sensitivity that are practical and yet set real limits on activities and expectations. Underpinning this is a foundation that assesses activities through a transparency lens and gives individuals a right of access as well as protection of their information. In this way, PIPEDA, with all its bells and whistles, goes a long way to meeting most if not all concerns that have been raised in the context of big data analytics and the Internet of Things. The challenge is not in our law, but in insuring we continue applying that law effectively as technology and expectations evolve.
Sabrina Anzini, LoyaltyOne; Anick Fortin-Cousens, IBM; Amanda Maltby, Canada Post; Suzanne Morin, Sun Life Financial; Stephanie Rich, AIMIA; John Russo, Equifax; and Pamela Snively, TELUS.