International: Privacy implications of wearable tech: Part 2
New technologies may reveal shortcomings in pre-existing legislation and how the broad, 'catch-all' language employed may be insufficient. As explored in Part 1 of this series, wearable tech is one example of a development that can call the efficacy of such laws into question. In Part 2, Saba Samian, Associate at Norton Rose Fulbright, delves further into this topic, giving an overview of the issues faced when regulating new technology and how common law jurisdictions such as Canada may meet these challenges.
The first prong of the solution: the regulatory strategy
To preface a proposed solution to resolve the tension between innovation and privacy, it is important to unpack an oft-cited term: the digital dichotomy1. This phrase refers to the misunderstanding that the digital world is inherently markedly different from the physical world2. This misinterpretation likely stems from our increasing dependence on electronic applications that enhance our everyday lives3. Ride-hailing apps are the perfect example of this way of thinking in today's digital era. This innovation allows a physical being to drive a physical car and arrive to a physical location. However, the functionality of this series of events is seen as being in cyberspace since an application is what causes a 'car to appear' at the rider's convenience4. This disconnect - as we settle into the increasingly complex digital era - causes the assumption that there should be one set of rules for the physical world, and one set of rules for the digital world5. However, the very fact that we are now living in the digital era means that these worlds are one and the same6. This means that we do not necessarily have to reinvent the wheel simply because we are taking advantage of technology. Rather, we can modify the existing rules that we applied to past innovations that were perhaps less evolved.
In parallel, many also believe that regulation is the antithesis of innovation7. A common contention is that innovation can only thrive without regulation and that government intervention acts as a block on entrepreneurship8. This is untrue and, in fact, the rise of the internet demonstrates this9. The development of electronic commerce in the 1990s was heavily dependent on significant government intervention10, which, indeed, facilitated the growth of innovation through a set of regulations that assisted emerging start-ups11. For this reason, start-ups sought out governmental assistance to be able to thrive in a more steady, but innovative, environment. As a result, regulation does not have to be the ill-perceived notion that many believe it to be. Rather, it can help bring innovations to the forefront and allow them to not only grow, but also become more accessible to the public.
To offer a multijurisdictional perspective, it is prudent to consider a prominent example of a service that thrived within a regulated environment in the form of voice call applications. When these were first introduced, they were illegal in most jurisdictions, including the U.S. because the offering of a communications service that was offside the existing regulatory infrastructure in a prior era was prohibited12. Currently, ride-hailing apps are also illegal in many of the jurisdictions in which they operate13. However, it is important to refrain from imposing traditional regulations on innovations that simply do not fit the frame that is in place today. Instead, as innovations grow, entrepreneurs can work collaboratively with regulators to implement the rules that are needed. This is arguably the most effective way to update the out-dated legislation, including privacy, in jurisdictions like Canada14.
Given the division of powers under Sections 91 and 92 of the Constitution Act, 186715, federal and provincial regulations must be considered separately. This is underscored by the fact that the risk of a data breach differs between public and private sectors. In the former, a piece of smart clothing could be ordered by a doctor to collect information that will be processed and controlled in a hospital (a public entity). The risk of personal data being exposed by a hospital is low given the institution's federally regulated protocols. In the private sector, however, data can be exchanged much more freely16. Indeed, companies have already tapped into using personal data (such as email addresses) similar to currency17, and the same rules that would apply to federal entities do not act as barriers for private smart clothing companies.
Risk to privacy in relation to federal entities
The Privacy Act18 governs the information handling practices of federal government institutions. This Act, however, works in parallel to other rules that regulate the internal procedures within government institutions, which mandates how operations should be conducted. As a result, the previously mentioned value that data has gained in recent years is not directly relevant to federal institutions since data cannot be taken advantage of in the same way. Nevertheless, despite the offers of the Privacy Commissioner of Canada, the Privacy Act has not been substantively updated since 198319. As a result, the proposed solution set forward in this essay is a call to action for a further reconsideration of the relevancy of this act. However, the pragmatic aspect of this solution calls for a lowered emphasis on a change to federal legislation. This is due to the aforementioned risk of a data breach, which means that time and capital are better spent on filling in the regulatory gaps that are more pertinent. The extent of the regulatory lag with respect to recent innovations like smart clothing calls upon us to address this problem efficiently, and this must be a consideration in a proposed solution.
Risk to privacy in relation to the private sector
The Personal Information Protect and Electronic Documents Act 2000 ('PIPEDA') governs how private sector organisations collect, use, and disclose personal information in their business practices. The high risk of a data breach in the private sector and the aforementioned realities of how much value data has gained when it can be traded make a regulatory reform to this piece of legislation a high priority. PIPEDA recognises that we are living in a world 'in which technology increasingly facilitates the circulation and exchange of information'20, which is why it was updated much more recently in 2018. However, the legislation presents some gaping holes and ambiguous clauses that simply make it inept to deal with innovations like smart clothing.
For example, Section 5(3) of PIPEDA gives a business the right to 'collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances'21. The ambiguous nature of this clause would seem problematic for devices used in commerce that use data collection tangentially (such as a department store getting a customer's information for a transaction), let alone devices that have data collection as their sole purpose. Smart clothing is, indeed, 'smart' because it has the ability to collect a large volume of information, and this would be in accordance with PIPEDA because that is 'appropriate in the circumstances'. Otherwise, the entire purpose of such innovations would be undermined, which can ultimately bring entrepreneurship to a halt given our increasing reliance on data.
Furthermore, Sections 6.1 and 7(1)(a) of PIPEDA also serve as primary examples of why a regulatory update is needed22. Once again, the broad wording of Section 6.1 states that consent is valid as long as it is 'reasonable to expect' that the individual understood the nature of the organisation's goal and why consent is being sought23. However, that is not the problem that the legislation should be addressing. The consumers of smart clothing likely understand what they are buying - in fact, that is why they have sought the product out in a free market. What they are less likely to understand is how their data is being controlled and processed, which seems to be left out of PIPEDA. Indeed, Section 7(1)(a) of PIPEDA even permits an organisation to collect personal information without the knowledge of the data subject in certain instances, including if 'the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way'. It is important to note, however, that the vagueness in PIPEDA can be attributed to the fact that the legislation is driven by common law, and therefore courts have the power to interpret and fill in the necessary gaps. In contrast, legislation similar to the General Data Protection Regulation (Regulation (EU) 2016/679) is driven by civil law, which explains the higher level of detail. Still, the ambiguity of the legislation is not the primary issue, but rather it is the fact that the legislation lacks a forward-looking perspective to accurately capture recent innovations like smart clothing. Additionally, as noted by Justice Rothstein during his session as part of the IP Intensive program at Osgoode Hall, most Canadian law is derived from statute, which further underscores the importance of legislative clarity and direct guidance24. Once again, the primary issue is not the actual collection of the information and whether that is in the consumer's interest, but how that information will be stored and disseminated going forward.
In reconciling the regulatory lags mentioned above with the fact that the existence of regulation does not have to be seen as a block to innovation, the solution proposed here is a call to action for an updated set of regulations with respect to storing and disseminating the personal data captured by innovations like smart clothing. Both innovation and privacy are important to the interests of the public and an appropriate medium would be regulations that control innovations effectively. In other words, a one-size-fits-all approach is problematic. The pragmatic solution would be an ongoing dialogue between entrepreneurs and the legislature to ensure that the correct gaps are filled.
Interestingly, the Government of Canada made recent changes to PIPEDA, effective on 1 November 201825. However, these changes deal with notification and recordkeeping with respect to privacy breaches. This is ineffective because while taking the correct action in the case of a breach is important, it is an ex-post remedy when ex-ante precautions are needed. Furthermore, the stringent recordkeeping requirements under the new PIPEDA updates will not only cause several compliance obstacles for businesses, but may also spur new litigation and class actions26. As such, it is important to consider whether this risk is worth the update, especially if it does not directly consider innovations, like smart clothing, that could have an intrusive impact on privacy. Nevertheless, this announcement demonstrates a glimmer of hope because it suggests that Canada is actively seeking to update its current privacy laws, which makes the solution posed in this section a practical one.
The solution posed here is not meant to be all encompassing, but rather act as an efficient form of change that can result in the greatest benefits. Therefore, the forthcoming update to our current legislation, including PIPEDA and the Privacy Act, should focus on the provisions that specifically address data storage and dissemination. After all, this is the most direct and substantial privacy risk associated with wearable technology.
Furthermore, in order to best capture the essence of such provisions, it is important to engage in consultations with active entrepreneurs in this space, as well as consumers of wearable technology, in order to get a sense of the primary concerns. The second prong of the proposed solution addresses this point, in the next instalment of this series.
Saba Samanian Associate
Norton Rose Fulbright, Toronto
1. Kevin Werbach, 'How to Regulate Innovation Without Killing It', Wharton University of Pennsylvania (February 3, 2017) Available online: http://knowledge.wharton.upenn.edu/article/how-to-regulate-innovation-without-killing-it
15. The Constitution Act, 1867, 30 & 31 Vict, c 3, ss 91, 92.
16. Lundquist et al, supra note 22 at 91.
17. Humer and Finkle, supra note 43.
18. Privacy Act, RSC, 1985, c P-21.
19. Office of the Privacy Commissioner of Canada, supra note 27.
20. PIPEDA, supra note 46, s 3.
21. PIPEDA, supra note 46, s 5(3).
22. PIPEDA, supra note 46, s 6.1 (for the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting) and Section 7 (7 (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organisation may collect personal information without the knowledge or consent of the individual only if (a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way).
23. Similarly, the broad interpretation of Section 20 and Section 27 of the Health Information Act caused trouble in Lycka v Alberta (Information & Privacy Commissioner), 2009 ABQB 245,  AWLD 2001. In this case, the Privacy Commissioner's interpretation of these Sections was reversed, because it rendered consent useless.
24. Justice Marshall Rothstein, 'Hon. Marshall Rothstein, QC discussion with the class', delivered at Osgoode Hall Law School (20 November 2018).
25. Alex Cameron and Daniel Fabiano, 'Canadian Privacy Breach Notification Rules in Force on November 1, 2018', Faken Bulletin (5 April 2018) Available online: https://www.fasken.com/en/knowledgehub/2018/04/canadian-privacy-breach-notification-rules-in-force-on-november-1-2018 and http://orders-in-council.canada.ca/attachment.php?attach=36009&lang=en.