Speaking to a sold-out audience here at the 10th annual IAPP Canada Privacy Symposium in Toronto, Privacy Commissioner of Canada Daniel Therrien announced the release of new guidelines on meaningful consent and inappropriate data practices, or what he called "no-go zones," as well as a restructuring of the agency and the investigation of six data brokers.
"We need to change our approach to privacy protection," Therrien warned. "The scale and pace of technology and their use are significantly preventing people from protecting their privacy."
Describing the office's new approach as "proactive," Therrien characterized the new meaningful consent guidelines as "practical and actionable advice" for organizations. The guidelines, which have been jointly issued with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, reflect "the principles underlying" the Personal Information Protection and Electronic Documents Act and the provincial laws of Alberta and British Columbia.
Though the OPC decided not to provide a privacy policy template, something some stakeholders suggested, the agency wants organizations to follow seven principles, which generally revolve around a user-centric and innovative design. On top of these principles, Therrien stressed the importance of deciding which form of consent users should receive. Organizations should also obtain express consent if the data collected is sensitive, "outside the reasonable expectations" of the user, or the collection, use or disclosure of the data would result in "significant harm."
In its guidelines on consent, the OPC is clear about what organizations must do to obtain meaningful consent and what it should do. "We think our role as regulator is to clarify the law and how it generally should be interpreted," Therrien explained.
Supplementally, Therrien announced what he called "no-go zones," particularly guided by PIPEDA subsection 5(3). The guidance states, "we have determined that the following purposes for collection, use or disclosure of personal information would generally be considered 'inappropriate' by a reasonable person." These six no-go zones, which the guidelines state could evolve over time, include unlawful collection, profiling or discriminatory treatment, processing that could cause significant harm, publishing data with intent to charge for a take down, requiring social media passwords for employee purposes, or audio or visual surveillance of an individual through that individual's own device.
Therrien noted that the no-go-zone guidance is final and will become applicable July 1. The consent guidelines, however, will become applicable Jan. 1, 2019.
Though in brief, the commissioner also said the OPC has initiated an investigation into six "data and list brokers."
Describing this year's agenda as "ambitious" and "proactive," Therrien explained the moves are part of a larger reorganization of the agency. "We've made significant changes to our organizational structure," he said. "We've streamlined operations by clarifying program functions and are shifting the balance toward proactive efforts. The OPC will now feature two programs: promotion and compliance."
To help lead these two programs, Therrien says the OPC will name two deputy commissioners. Under the promotion program, the OPC will help educate Canadian citizens on their rights and guide companies on the compliance efforts. "This could include how to achieve meaningful consent," he said. "Under this advisory capacity, the OPC would seek to better understand privacy impacts of new technology and to provide guidance. We would be helping to address privacy issues up front. We prefer this approach."
The compliance program would address "systemic privacy issues not being addressed through our complain system."
Together with its new guidelines on consent and no-go zones, the OPC plans to roll out "a series of measures" to help address a digital environment that is growing more complex as new innovations in internet-of-things devices and artificial intelligence enter the market.
"We realize most organizations want to do the right thing," said Therrien. "We want to help them."