More Proactive Enforcement and Compliance Models for Privacy Protection

This post is in: October 5, 2017

Privacy Commissioner files Annual Report

In his Annual Report to Parliament the Privacy Commissioner of Canada has argued that Canadians are losing control over their personal information in the digital age, and that urgent change is needed to restore confidence. The Commissioner, Daniel Therrien, recommended a number of solutions, including legislative amendments to provide for order-making powers and the ability to impose administrative monetary penalties to ensure that Canadians’ privacy rights are properly protected. Therrien says that these changes would bring Canada in line with many of its provincial and international counterparts, including the United States and many European countries.

The Commissioner added that his office will begin to act immediately to improve privacy protections for Canadians. In particular he noted limitations imposed by the complaints-based procedure which currently exists, noting that “[p]eople are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information.” He argued that a more proactive enforcement and compliance model would expand the Commissioner’s Office’s ability to protect interests. Complaint-based powers:

“are limited and do not authorize my Office to perform proactive audits simply to verify compliance, without grounds that a violation has occurred. These powers would be very useful, indeed necessary, in a field like privacy where business models and data flows are often complex and far from transparent.”

The Report also considered the issue of online consent by consumers, specifying four key elements that should be highlighted in privacy notices and explained in a user-friendly way;

  • what personal information is being collected;
  • who it is being shared with, including an enumeration of third parties;
  • for what purposes is information collected, used, or shared, including an explanation of purposes that are not integral to the service; and
  • what is the risk of harm to the individual, if any.

The Commissioner noted that the Commission had received calls to establish templates for online consent forms but felt that they ought not to adopt the role of a regulator. Instead they encouraged organizations to “find innovative and creative solutions to the consent process in a manner that respects the nature of their relationship with consumers”, and articulated a number of principles which should guide those solutions:

  1. Information provided about the collection, use and disclosure of individuals’ personal information must still be readily available in complete form, although, to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent (see elements below).
  2. Information must be provided to individuals in manageable and easily-accessible layers, and individuals should be able to control how much more detail they wish to obtain and when.
  3. Individuals must be provided with easy “yes” or ‘no’ options when it comes to collections, uses or disclosures that are not integral to the product or service they are seeking.
  4. Organizations should design and/or adopt innovative consent processes that can be implemented just in time, are specific to the context and appropriate to the type of interface used.
  5. Consent processes must take into account the consumer’s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organizations’ target audience(s).
  6. Organizations, when asked, should be in a position to demonstrate the steps they have taken to test whether their consent processes are indeed user-friendly and understandable from the general perspective of their target audience.
  7. Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.

In addition, the Report recommends legislative change to specify areas where collection, use and disclosure of personal information is prohibited, including situations that are known or likely to cause significant harm to the individual.

The Commissioner also noted that it is important to empower children to protect their privacy from a young age and called on provincial and territorial governments to integrate privacy education in school curricula.