Friday, February 12, 2010

Privacy Commissioner consultations on new technologies: a few thoughts

Over the last month, the Office of the Privacy Commissioner of Canada has launched two public consultations related to new and emerging technologies. The first, called for in January of this year, relates to "online tracking, profiling and targeting of consumers by marketers and other businesses." The second, which will focus on cloud computing, was announced yesterday. The consultations call for written submissions and will culminate with public events in Toronto, Montreal and Calgary.

It will be interesting to see what these consultations bring to the fore, particularly in light of the Commissioner's observation that PIPEDA has been "sorely tested" over the last decade and may need fortification for the next decade:

Speech: The Future of Privacy Regulation – February 10, 2010

"But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested. We have bent and stretched it in many different ways.

And, if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.

For that, we need to look at our privacy laws and administrative structures. We need to dramatically modernize the Privacy Act, which governs the public sector, and to consider whether PIPEDA, the private-sector Personal Information Protection and Electronic Documents Act, remains suited for the next 10 years.

But we cannot function in isolation. We need to examine what’s happening in other jurisdictions, and work with them on common approaches to the challenges we all share."

PIPEDA, for all its weirdness as a statute, is in my view surprisingly resilient. It is because it is based on flexible principles rather than prescriptive rules that it can accommodate various industries and new technologies. The defects that were there on day one are generally still there, but its technological neutrality was well drafted and has withstood the test of time.

For example, it is firmly based on the idea of reasonableness, notice and consent. Provided the purposes are reasonable, there is notice and consent it obtained, the law fits and will work. This is regardless of whether the information is collected online, in person or via stone tablets. It works if the information is directly indentifiable to the individual (name), can lead to the identification of the individual (other identifier) or relates to some characteristic of the individual (house price). The exceptions to the law, such as journalistic collections of information, are generally reasonable and in fact necessary in light of the Charter of Rights and Freedoms.

Perhaps some guidance is useful. For example, it would help to have some consensus on best practices for notices to individuals related to the use of persisent cookies or when information will potentially cross borders. But ultimately all of these are within the domain of a judge interpreting the statute, who will have a pretty robust, principled, technologically neutral lens to look through.

Those are just my thoughts ... it will be interesting to see what the participants have to say.

No comments: