From: Konrad von Finckenstein
To: The Hon. Navdeep Bains, Minister of Innovation, Science and Economic Development
Date: June 7, 2019
Re: How to get meaningful privacy consent for use of web data
Where data and privacy questions arise the question of consent is crucial.
Europe’s General Data Protection Regulation came into effect a year ago requiring that “consent must be freely given, specific, informed and unambiguous.” GDPR compliance is swiftly becoming the world standard for consent, given the importance of the European market and given that GDPR applies to non-EU organizations if they offer goods or services, or monitor the behaviour of EU data subjects.
However, to operationalize this requirement in a simple meaningful way is far from easy. Any user of a new piece of software or visiting a new website has faced a page or more of dense legal text with an “I agree box” at the bottom. The majority of people click this without any idea of what they agreeing to and it clearly does not comply with the GDPR.
However, consumers still want assurance their data are not misused and are looking for meaningful protection.
The solution is within our reach.
We need only to turn to organic food for an analogue. Consumers want organic food. They rely on the fact that food cannot be labelled as organic unless it complies with regulations. They have no idea of the actual requirements for producers to label food as organic, e.g., fields to lie fallow for an initial period, no artificial fertilizer, no genetically modification of plant or animals. They just know they want organic food and that any food so labelled must comply with some government ordained procedure. They rely on this.
Equally, consumers who use the web look for full assurance that their personalized data will not be sold and used to influence their behaviour by the website they visit. They do not object to data being used for data mining and developing advertising approaches as long as it cannot be attributed or traced to them.
Data gathered on websites can be anonymized. Various standards are being currently used. A Canadian Anonymization Network has just been set up to create uniform standards. Once the standards have been established two options are open.
Preferably a private outfit such as the International Organization for Standardization (ISO) will provide a service to monitor and certify that a social media company actually anonymizes according to the standards.
Alternatively the federal government should, by legislation, prescribe the standards for anonymization to be used to obtain data usage consent from consumers.
In either case, the Competition Bureau should be given to authority to levy administrative monetary penalties against data gatherers that misrepresent that they properly anonymize according to the prescribed standards.
When consumers then use a site they would merely need to click “I agree” on a box that states “By using this site you consent that we use any data generated as long as it is being anonymized in accordance with the standards certified by the International Standards Organization (or alternatively ‘prescribed by government’). The word ‘standards’ would be hyperlinked and a consumer could click to be taken to the website setting out the prescribed anonymizing standard.
Such a scheme whether implemented by the private sector or government can foster confidence in social media, without limiting its growth, while allowing consumers to give consent that is freely given, specific, informed and unambiguous.
The Hon. Konrad W. von Finckenstein, Q.C., was Chair of the Canadian Radio-television and Telecommunications Commission, a Federal Justice and Commissioner of Competition.
To send a comment or leave feedback, email us at blog@cdhowe.org.
The views expressed here are those of the author. The C.D. Howe Institute does not take corporate positions on policy matters.