Here at the IAPP Privacy Symposium in Toronto, federal Privacy Commissioner Daniel Therrien used his opening keynote address to announce a new sweeping consultation on the nature of consent and to call for an update to the “archaic” Privacy Act that covers the handling of citizen data. 

The consent consultation, which you can participate in by sending an email here, is an “important exercise,” Therrien said, because PIPEDA “predates smart phones, cloud computing, and business models predicated on unlimited access to information and automated processes that use algorithms to make decisions.”

“It’s no longer clear,” he said, “who’s processing our data and for what purposes.”

How, then, should organizations inform individuals about how they are going to use their data and what role should a regulator play in that process?

Privacy notices are notoriously long and ineffective, Therrien noted. Further, “Is it fair to put the responsibility on consumers to make sense of these complex data flows?”

To kick off the consultation, the Office of the Privacy Commissioner released, in coordination with Therrien’s keynote address, a position paper that presents a sort of state of the state for consent, identifying troubling issues for the current consent model in PIPEDA and offering up a suite of possible solutions.

Many are calling, Therrien noted, for accountability frameworks and ethics boards and other methods for organizations to assess privacy risk and make use decisions without the explicit consent of the data owners. However, these organizations “are not impartial and will ultimately act in their own interests. This demands the presence of impartial actors who are responsible for protecting consumers.”

Many other regulators in other countries, Therrien noted, have the power to issue binding orders and impose financial penalties. Why not Canada? Without these powers, he seemed to imply, the accountability model would fail consumers in Canada.

Another school of thought surrounds providing consumers with more and better information. Therrien pointed to work done by the U.S. Federal Trade Commission exploring QR codes, set-up wizards, and privacy dashboards to help users manage their privacy across platforms and across services.

Would a collection of companies from industry participate in such a scheme and honor user wishes enough to mean consumers wouldn’t have to provide consent every time data is collected? Would consumers actually use and adopt such self-regulatory measures?

These are the issues on which Therrien is looking for feedback. Interested parties have until July 13 to submit their thoughts.

Therrien also reserved time in his remarks, however, to address the Privacy Act, something which he’s hoping Parliament will address in short order, but which hasn’t been updated since 1983.

“It goes without saying,” he said, “that our law governing how institutions disclose and use personal information is archaic. … It is in dire need of modernization.”

Specifically, Therrien’s office is calling on Parliament to at least hold public institutions to the same standards to which they hold private organizations in Bill S-4, which imposes mandatory safeguards for personal data. Public institutions should be bound by law to disclose breaches to the OPC, as well, and “privacy impact assessments should be a legal imperative.”

Therrien also believes there should be an expansive research and education mandate, as in PIPEDA for the private sector, and that annual or special reports on privacy efforts from public bodies are insufficient. Further, ministers’ offices, even the Prime Minister’s office, should not be exempted from the law.

The government, otherwise, “is proving to be increasingly out of touch with Canadians as to how they engage with the digital world,” he said. “We have a fundamentally changed privacy landscape. We are at a critical point where action is needed.”