Is Consent the Foundation of Fair Information Practices? Canada's Experience Under PIPEDA

I Introduction

In January 2001, Canada's federal government put in place an important new component of data protection law: the Personal Information Protection and Electronic Documents Act (PIPEDA).¹ PIPEDA regulates the collection, use, and disclosure of personal information within the private sector. This act takes its place alongside the federal Privacy Act and Access to Information Act,² which regulate the public sector, together creating a fairly comprehensive federal regime of data protection and implementing what have come to be known internationally as 'fair information practices.' Fair information practices involve a number of core entitlements that seek to place limits on information processing practices as well as to ensure the transparency and accountability of these practices. Within this model of data protection, privacy is often seen as the core interest protected and individual consent as the central vehicle through which this protection is accomplished. This certainly characterizes the rhetoric surrounding PIPEDA.

Initially, PIPEDA applied only to the federally regulated private sector as well as to organizations engaged in collecting, using, or disclosing information outside of the province or country. However, PIPEDA's staggered implementation schedule was completed as of January 2004, and it now also applies to all organizations engaged in commercial activity within a province, unless that province has enacted 'substantially similar' legislation.³ To date, Quebec, British Columbia, and Alberta have all enacted legislation that has been deemed substantially similar.⁴ This article argues that two of these initiatives raise interesting questions about the relationship between consent and privacy and suggest that derogations from consent are not necessarily derogations from privacy. That is, they call into question the claimed centrality of consent to fair information practices and the data protection regimes modelled upon them.

The privacy legislation of both British Columbia and Alberta permits employers to collect, use, and disclose personal information about employees without employee consent so long as employees are notified prior to the collection, use, and disclosure and 'the collection [and use and disclosure] is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.'⁵ When first introduced, these provisions received strong criticism from some privacy advocates. For example, former privacy commissioner George Radwanski argued that the BC Act 'is clearly inferior' to PIPEDA with respect to protecting employee privacy and that the 'reasonable' test that the act does provide is 'meager consolation for employees or prospective employees concerned about privacy.'⁶ Nonetheless, these acts have been found to provide 'substantially similar' protection to that of PIPEDA, although the basis for this finding in relation to employee privacy has not been articulated. The most straightforward reason would be that even if PIPEDA applied to activity within the provinces of BC and Alberta, it would not apply to employees but only to commercial activities; PIPEDA applies to employee information only within the federally regulated sector.⁷ In other words, the BC and Alberta Acts provide privacy protection for employees superior to that of PIPEDA because PIPEDA applies only to a narrow category of employees. A much different reason would be that the kind of privacy protection that PIPEDA offers to employees in federally regulated industries is equivalent to the privacy protection offered to employees generally under the BC and Alberta Acts. According to this line of reasoning, a regime of notice and reasonableness provides the same level of privacy protection as a regime of notice, reasonableness, and consent.

This article argues that this second line of reasoning is in fact persuasive. Moreover, it argues that this line of reasoning is persuasive even outside the employment relationship. Its central claim is that the alleged centrality of consent to the protection of privacy is misplaced: all derogations from consent are not necessarily derogations from privacy.

A number of reasons support this claim...