Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada. July 2016

Transcription

1 Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada CONSULTATIONS CONCERNING CONSENT AND OTHER MATTERS July 2016 Page 1 of 12

2 A. Summary Founded in 1920, the Toronto Real Estate Board ( TREB ) is Canada's largest real estate board, serving more than 45,000 licensed real estate brokers and salespersons in and about the Greater Toronto Area. TREB serves the collective voice for both its commercial and residential REALTOR Members. The business practice of TREB members involves the direct collection of personal information of consumers and the use and disclosure of such information for specific authorized purposes. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. With respect to consent, TREB s view is that sufficient flexibility is already built into PIPEDA. This flexibility permits a more sophisticated approach to consent management. Consent should be a dynamic rather than static process and one that recognizes that organizations need to have a further degree of engagement with individuals over downstream uses. TREB is of the view that Privacy by Design concepts should be considered as part of an organization s accountability, limiting retention, openness and safeguards obligations that currently exist under PIPEDA. No separate legislation, or amendment of PIPEDA, is required. While codes of practice would provide a degree of standardization, TREB believes this would only be practical and workable if the OPC is willing to assist those sectors in the development and review of such codes. TREB believes a privacy seal program, operating alongside PIPEDA, has the potential to increase the regulatory burden of organizations without demonstrating corresponding benefits. TREB is of the opinion that the use of ethics boards should not be pursued. TREB is of the view that the OPC should have an order-making power requiring organizations to take specific actions to prevent further repeats of the acts or practices investigated and found to be non-compliant. Such power should be clearly subject to judicial review. However, the power to compensate any loss or damage suffered (which may include humiliation suffered by the Page 2 of 12

3 complainant or injury to the complainant's feelings) or administrative monetary penalties should remain with the Federal Court. B. Introduction With Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act ( Discussion Paper ), the Office of the Privacy Commissioner of Canada ( OPC ) has raised for public consideration what has been characterized as the consent dilemma 1. This term consent dilemma concerns divergent views of the future of the existing consent model as found in the Personal Information Protection and Electronic Documents Act 2 ( PIPEDA ). In providing the Discussion Paper and possible solutions to concerns about the current state of consent in PIPEDA, the OPC seeks to stimulate dialogue and solicit views. The Toronto Real Estate Board ( TREB ), on behalf of our members, is pleased to respond to the OPC s invitation and submit its views. Founded in 1920, TREB is Canada's largest real estate board, serving more than 45,000 licensed real estate brokers and salespersons in and about the Greater Toronto Area. TREB serves as the collective voice for both its commercial and residential REALTOR Members and operates under the direction of an elected voluntary board of directors. TREB s members collect an express consent for the collection, use and disclosure of personal information when entering into listing or representation agreements with vendors and prospective buyers of real estate. The objective of the consents used, together with privacy notices, is to limit the use and disclosure of personal information to the purchase and sale of real estate and support for the Multiple Listing Service system. The collection of personal information is direct and the limited use and disclosure of such information does not change over time. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. C. Consent is Not a Dilemma 1. Technological Change 1 See Discussion Paper, p.1. 2 SC 2000, c 5. Page 3 of 12

4 Personal information protection concepts can trace their modern roots to the OECD's 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data 3 ( OCED Guidelines ). While not enforceable, these guidelines became a source for the principles informing data protection legislation in countries around the world, including Canada s PIPEDA. These guidelines and, in many respects, PIPEDA reflect ideas to address problems identified then and concerning, in part, technology that was very different from what is available now. The issue Canadians face now are whether such principles, including the need to obtain consent, continue to work in a world that has gone from mainframe to mobile technology. And whether they can they work where longitudinal profiles of individuals become prized in a data-centric, networked world? The Discussion Paper notes...there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent. Business and technology models constantly evolve. However, statutes need not promote technology as a driver for legislative change so as to dictate preferences or directions. Legislation, however, does need to be responsive where there is a clear failure in a statute s underlying policy objectives. It is far from clear that PIPEDA s principles approach with respect to consent has failed. PIPEDA was created to be technology-neutral and this concept should not be abandoned. Innovation through enhanced data analytics and the deployment of new collection points (e.g. the Internet of Things or IoT ) represent new challenges to privacy. However, innovation is not predicated on sacrificing privacy. There is a delicate balance in allowing access to and exploitation of one's personal information for commercial gain. The concept of consent forms an important element in maintaining that balance. 2. Notice and Choice Also noted in the Discussion Paper, one view of expecting individuals to take an active role in deciding how their personal information is used in all instances is increasingly unrealistic 4. This discussion arises, in part, because of an argument that the notice and choice model has failed. 3 Updated in 2013, these guidelines may be found at: ersonaldata.htm 4 Supra, note 1. Page 4 of 12

5 Notice here means informing individuals about the personal information collected, used and disclosed and choice means permitting a decision to accept such collection, use and disclosure. The idea being few people read privacy policies. While there is research to support this point, it can be argued this reflects the inadequacy of formalistic and/or legalistic privacy statements. Simply because the notice is inadequate does not mean one eliminates choice. Related to the failure of notice and choice (i.e. consent as a means of expression of agreement with proposed uses/disclosures) is the notion that the ability of individuals to manage their privacy is burdensome. Too many privacy statements to read; too many uses (as well as the on-going evolution of uses) mean that the active management by an individual of the collection, use and disclosure of their personal information becomes difficult. 3. Consent Remains a Fundamental Concept So do these points this mean consent is an antiquated concept? TREB s view is that adherence to explicit consumer consent is fundamental concept that should not be re-thought or abandoned. The technologies deployed today that interact with individuals in a myriad of ways all permit business to create profiles/opinions about them and influence actions towards them. As data collection spread from individuals to devices (e.g. IoT), this ability to create profiles of individuals based on activities, relationships, preferences, or lifestyle makes the concept of consent more important than ever. Indiscriminate information collection does not mean that there will be societal benefits: information does not equal knowledge despite claims to the contrary. Whatever benefits are perceived through the wholesale collection and analysis of personal information, the purpose of PIPEDA involves the recognition of the right of privacy of individuals. Removing individuals from the equation is, at best, paternalistic and, at worst, a de facto dismantling of privacy protection. TREB s members deal with consumers and their personal information on a daily basis. Their limited use and disclosure of personal information of their clients reflects an understanding of the risks (e.g. the potential for mortgage fraud and identity theft) for individuals in the world of real estate. They are also aware of the potential for abuse of personal information by clients when there is an emotionally charged divorce, estrangement or settlement of an estate. As a result, TREB and its members acutely understand how home purchasers and vendors feel about the need to protect their personal information. Page 5 of 12

6 The 2014 OPC Survey of Canadians on Privacy reflects this need: Canadians increasingly feel that their ability to protect their personal information is diminishing. 73% believe they have less protection of their personal information in their daily lives that they did in the prior ten years. 9 in 10 Canadians expressed some level of concern about the protection of their privacy, with 34% saying they are extremely concerned, an increase from 25% in Three-quarters of Internet users expressed some concern about the different ways the information available about them online might be used by organizations. 49% were very concerned about the impact on their personal reputation when information is collected, assembled, and made into profiles about them. These numbers reflect the unease of Canadians as to the state of their privacy and TREB is sympathetic to the views of Canadians that there has been a diminishment of personal information protection. One might argue that these numbers reflect a disconnect between existing privacy notices/statements/policies; the degree of understanding of what consent entails and the expectations of Canadians. Further underlining the importance of this issue is the potential uses of personal information collected without the knowledge or consent of individual Canadians. As noted by Patricia Kosseim, Senior General Counsel, Office of the Privacy Commissioner of Canada, in a speech at the Canadian Institute for the Administration of Justice Annual Conference in 2014: What about when big data are used not only to sell our identities, but to shape our identities? When big data track our friends and activities on social media sites in order to predict our political leanings and unleash last-ditch efforts to influence our vote? Or when click stream data are used to profile us into certain interest categories and show us tailored versions of the daily news reinforcing initial biases and depriving us of a more complete understanding of the world s events? Commodifying who we are, inferring who we are, or shaping who we are seems intuitively at least, to injure our identities and offend our sense of dignity. 5 5 Patricia Kosseim, Where Big Data Meets Law, 17 October 2014, online at: Page 6 of 12

7 Consent is more than a concept to be incorporated into forms or contracts; it represents a degree of empowerment on the part of individuals over their personal information and that empowerment should not be lost. Given the experience of its members and the kinds of questions raised with TREB in dealing with frontline use and disclosure issues especially with the sensitive financial information surrounding real estate transactions -- TREB s view is that adherence to explicit consumer consent is fundamental concept that should not be re-thought or abandoned. 4. Consent Should Be Dynamic TREB s view is that sufficient flexibility is already built into PIPEDA. The federal statute requires that consent must be obtained (1) before or at the time of collection, or (2) when a new use of personal information has been identified. PIPEDA s Schedule 1 recognizes that the form of consent can vary, taking into account the sensitivity of the information and the reasonable expectations of the individual. And, as the Discussion Paper emphasizes, express consent is the most appropriate and respectful form of consent to use generally, and is required when sensitive information is at issue. This flexibility within PIPEDA suggests that a more sophisticated approach to consent management needs to be considered. Consent is linked to both collection and use but need not be obtained only at an early stage of the relationship between organizations and individuals. Associated with this is a need for communication since trust in an organization s protection and use of personal information will grow with a better refinement of individual privacy expectations. This, in practice, means less of a file and forget attitude on the part of organizations when they publish privacy policies/notices and a more active role in managing privacy expectations. TREB agrees with the suggestion to enhance informed consent through more understandable and useful ways of explaining information management practices to individuals as well as more user-friendly ways of expressing privacy preferences. As the Paper rightfully notes, the proactive approach to privacy protection fosters trust on the part of individuals that their data will not be used in unanticipated ways and without their consent. TREB interprets this as a need for more dialogue and understanding to better meet privacy expectations on the part of both the organization and individuals. In keeping with the principles underpinning PIPEDA, consent can be provided in a variety of ways, at different times and using different mechanisms. As noted in the OPC s own Online Behavioural Advertising Guidelines 6, organizations today can use a 6 Online at Page 7 of 12

8 variety of communication tools, including online banners, layered approaches, and interactive tools to explain their practices. This can be extended to off-line activities. TREB believes that consent, therefore, should be a dynamic rather than static process and one that recognizes that organizations have to have a further degree of engagement with individuals over what are often called downstream uses. This approach, when applied to making consent more meaningful and relevant, suggests a need for criteria and guidance for use by organizations to allow them to take a better, more interactive approach. Since consumers often become most upset when they discover that their personal information is being used in ways they did not consider, such engagement will ensure a management of expectations on the part of individuals. D. Alternatives to Consent 1. De-identification TREB believes de-identification has a role in the protection of personal information but cannot be viewed as a substitute for consent or a sufficient protection mechanism in and of itself. One also has to bear in mind, in connection with data analytic efforts, that organizations may not want to de-identify individuals they often want to build profiles of identifiable individuals to better support sales and marking initiatives. The ability to de-identify is dependent upon the technique used and the reidentification risk (this risk defined as whether those seeking to re-identify the information possess the specific skills, knowledge, and access to do so). There are different approaches to de-identification (e.g. removal of direct identifiers, pseudoanonymization) and re-identification. How exactly de-identification can be used as an alternative to consent needs better definition before it can be further considered. 2. No-Go and Caution Zones These concepts to be akin to a red light (no collection of certain types of information; no collection from certain classes of individuals) or yellow light (enhanced treatment of sensitive information) definition of situations. TREB believes that information surrounding real estate transactions would fall into the latter ( yellow light ) category. Page 8 of 12

9 PIPEDA s Regulation Specifying Publicly Available Information 7, and its subsequent interpretation, defines a zone around publicly available information and puts boundaries around the use of such information. The no go or caution zones suggested in the Discussion Paper reflect a similar concept and the challenge will be in developing reasonable rules/definitions around these zones to balance the interests of organizations and individuals. There are Canadian examples of personal health information protection statutes where use without consent is permitted. Those examples reflect an ecosystem with extensive regulatory oversight by professional bodies, there are limited purposes and there is a general culture of patient confidentiality. Whether that concept will scale across a variety of industries is debatable. One might also ask if the OPC will have the resources to provide a similar type of oversight. TREB s view is that the idea sounds good in theory but there is a real question as to whether it would work in practice. At this time, TREB believes that PIPEDA s requirements under s. 5(3) are sufficient with respect to use. E. Governance The Discussion Paper segues into a number of options to consider for the purposes of ensuring strong privacy protections. As noted, some of proposals serve to enhance consent, some are alternatives to consent, and some may belong in a self-regulatory framework. This section elaborates on TREB s views on such options. 1. Privacy by Design ( PbD ) The Discussion Paper asks how should the seven principles of PbD be treated in the context of Canada s privacy law framework? Should this concept merely be encouraged as a desirable aspect of an accountability regime? Or should it become a legislated requirement as it will soon be in Europe? TREB is of the view that these concepts should be considered as part of an organization s accountability, limiting retention, openness and safeguards obligations that currently exist under PIPEDA. No separate legislation, or amendment of PIPEDA, is required. A better approach is to foster the maturation of privacy management within 7 SOR/ Page 9 of 12

10 organizations so as to promote a proactive, lifecycle approach to information management and protection. Taking these concepts from PbD provides a more robust privacy management/accountability framework. 2. Governance: Codes of Practice Whether sectoral codes of practice do indeed enhance consent and/or privacy protection remains to be confirmed. Different organizations within a sector may well have different states of privacy posture with different levels of maturity. Such codes, though, do have a salutary effect as well as an educative role. TREB, for example, uses the National Privacy Code for REALTORS, developed by the Canadian Real Estate Association, to educate its members on their privacy obligations. Codes of practice would provide a degree of standardization but TREB believes this would only be practical and workable if the OPC is willing to assist those sectors in the development and review of such codes. They have to be more than a common privacy policy and have to have a high degree of granularity. Whether agreement on codes at a granular level is possible remains to be seen. 3. Privacy Trustmarks The Discussion Paper raises the question of the merit of a privacy trustmark or seal program. As the paper itself notes for a privacy seal program to function effectively in Canada, there would need to be an objective mechanism in place to evaluate how well the program aligns with legislated privacy requirements as well as an independent audit function to ensure continued upholding of standards. Reference is made in the paper to proposed British and European programs. While the regulatory regime is Europe is heavier than it is in Canada, the UK program is voluntary and the European Privacy Seal program is geared to the narrow certification of compliance of IT products and IT-based services with European regulations on privacy and data security. Such programs are usually intended to promote organizations that exceed the established standard and correspondingly build consumer trust. However, they also require the establishment/designation of an accreditation organization and the establishment of criteria. While the idea is raised in the Discussion Paper, it is not clear whether such a program is voluntary or the implications of some organizations going the mark route while others, for reasons of expense, do not. TREB does not believe it is necessary to allow for a privacy seal program to operate alongside PIPEDA. To introduce such a program increases the potential for an Page 10 of 12

11 increased regulatory burden and unnecessary bureaucracy without demonstrating corresponding benefits. 4. Ethical Assessments The concept of ethics boards can be seen as a supplemental check as to whether consent was legitimately obtained or based on sufficient knowledge. The fundamental question in any use of a third party to consider whether uses of data are ethical, fair, or appropriate is what standards are used to determine what is fair and appropriate. Section 5(3) of PIPEDA already provides a starting point for an objective determination of what s appropriate in the collection, use or disclosure of personal information. In a medical research context there is a considerable degree of detail associated with a formal consent document. It is an open question as to whether such an approach would be incompatible with what may happen in a business context. There are also questions of the composition and independence of such boards or their power (or desire) to prohibit proposed uses of personal information. TREB is of the opinion that the use of ethics boards should not be pursued. This seems a delegation of a determination that should remain with the OPC. Depending on how such boards are established, such a delegation may result in inconsistent interpretations of what is ethical or fair. F. Enforcement The Discussion Paper raises a question as to enforcement, specifically whether the provision of an order making power to the OPC is appropriate. TREB recognizes that such a power can serve as a strong incentive for organizations to stop privacy-invasive practices. Similarly, amendments made to PIPEDA by the Digital Privacy Act 8, with fines for knowingly violating the notification requirements, introduces another enforcement mechanism. TREB notes that the OPC in its position paper The Case for Reforming the Personal Information Protection and Electronic Documents Act 9 has already advocated for greater power: The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. 8 SC 2015, c 32 9 Online at: Page 11 of 12

12 It is time to put in place financial incentives to ensure that organizations accept greater responsibility for putting appropriate protections in place from the start, and sanctions in the event that they do not. Without such measures, the Privacy Commissioner will have limited ability to ensure that organizations are appropriately protecting personal information in the age of Big Data. TREB is of the view that the OPC should have an order-making power requiring organizations to take specific actions to prevent further repeats of the acts or practices investigated and found to be non-compliant. Such power should also be clearly subject to judicial review. However, such powers should not include an ability to compensate any loss or damage suffered (which may include humiliation suffered by the complainant or injury to the complainant's feelings) or administrative monetary penalties. TREB believes any question of damages or penalties should be left to the Federal Court. G. Concluding Remarks The business of real estate involves the collection, use and disclosure of personal information. Because of this, TREB and its members are sensitive to the privacy interests of consumers who are also real estate clients. TREB s policy is to respect the privacy rights of consumers. TREB remains vigilant in advising its members as to how best to market real estate while ensuring the protection of personal information. Throughout all of its activities, TREB has been consistent in its advocacy of the need to find an appropriate balance between the importance of informed consent in order to protect privacy, and the desire to foster innovation and technological developments. With respect to the main question about consent posed in the Discussion Paper does the solution lie in giving individuals better information and mechanism by which to make informed choices? TREB s answer is yes. Legislative changes are not necessary as PIPEDA, as amended by the Digital Privacy Act, contains provisions that adequately protect consumer privacy interests in Canada. What is required is to make consent a more dynamic process for businesses and consumers alike. Page 12 of 12