This week I traveled to Toronto to spend two days with the privacy team from Dentons. The firm is committed to being a leader in Canada by getting as many of their lawyers and non-lawyers certified as CIPP/Cs. Three in the group already obtained the credential so they took the training class as a refresher. It was a really nice way to spend Data Privacy Week. We spoke about how the landscape in Canada is changing, what’s coming down the pike and where things might be headed.
A good chunk of the class was spent talking about notable cases and, right in the middle of it, the Office of the Privacy Commissioner of Canada released a big one involving Home Depot. It raises interesting issues I’m sure will stimulate further debate and discussion among privacy pros. You can read more about the decision in the digest.
During the training we also talked about the role of consent in Canada’s privacy laws and whether or not our emphasis on consent makes as much sense today as it might have 25 years ago. If you’ve read my past rants, you’ll know I think we need to move away from consent as the silver bullet in every case. There are just too many instances in today’s world where, because of the reliance on consent, we are forced to click “I agree” to get through perfectly innocuous transactions. There’s no way anyone can conclude that these “consents” (if you can call them that) are in any way meaningful and there’s no way everyone understands exactly what they are agreeing to when they click.
The threshold for the processing of personal information must move beyond simply requiring consent at every turn. We should take a closer look at our EU colleagues, who now use a more ethics-based evaluation by allowing personal information processing if there are legitimate reasons that will not harm the individual whose personal information is implicated. There’s no need to always rely on the fallacy of a contrived consent.
It’ll be interesting to explore — if debates on C-27 ever advance (hint, hint) — whether the Home Depot case and many others that have emphasized consent over the years might have been decided differently under a new regime.
On that note, I hope your Data Privacy Week has been an occasion to raise privacy awareness within your organization, to learn and engage in various privacy events on and offline, and to tout all the great work you do as a privacy professional.