To consent and beyond: are No-Go Zones the next frontier? – Part 2
Just don’t go there
This is where No-Go Zones come in. A discussion paper published by the Office of the Privacy Commissioner of Canada (OPC) defines No-Go Zones as essentially a prohibition on collection, use or disclosure of personal information in certain circumstances – irrespective of consent. No-Go Zones can be based on different criteria, for example the nature and sensitivity of the personal information concerned, the proposed use or disclosure, or vulnerabilities associated with a particular group (e.g. children) whose data is being processed.
A good example of this model in practice can be found in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which covers private sector and federally-regulated organisations. PIPEDA contains a guiding principle – subsection 5(3) – that underpins the interpretation of the various provisions under PIPEDA:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
In May 2018, the OPC released guidance to assist organisations with the interpretation and application of subsection 5(3). This guidance sets out a list of practices which the OPC determined, through past findings and extensive consultation, were generally considered inappropriate from the perspective of a ‘reasonable person’ – even where an organisation had obtained individuals’ consent.
As noted in the guidance, whether a purpose is considered appropriate from the perspective of a reasonable person ‘is a flexible concept that requires time, careful reflection and practical experience to define’, and in practice, ‘will require a contextual analysis’. Nonetheless, the six ‘No-Go Zones’ outlined in the guidance provide useful boundaries for organisations and individuals:
- Collection, use or disclosure that is otherwise unlawful: a practice that would be in breach of another Canadian federal or provincial law would be considered inappropriate – for example, a collection of personal information that is prohibited by consumer laws would be an inappropriate purpose under subsection 5(3).
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law: for example, data analytics that results in inferences being made about individuals or groups, with a view to profiling them in ways that could lead to discrimination based on prohibited grounds contrary to human rights law.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual: recognising the privacy trade-offs that individuals make in order to get products and services (e.g. giving up some privacy for convenience), the OPC believes a reasonable person would not consider it appropriate for an organisation to require an individual to experience significant harm just to access that product or service. ‘Significant harm’ includes bodily harm, damage to reputation and relationships, loss of employment and identity theft.
- Publishing personal information online with the intended purpose of charging individuals for its removal: essentially blackmailing individuals is an inappropriate purpose, and definitely a No-Go Zone under PIPEDA.
- Requiring passwords to social media accounts for the purposes of employee screening: the guidance states that ‘requiring passwords in order to access private parts of social media accounts has the potential to expose incredible amounts of highly sensitive personal information that are neither relevant nor necessary for the employer’s legitimate business purposes’.
- Surveillance by an organization through audio or video functionality of the individual’s own device: such as an organisation tracking individuals through their device’s audio or video functionality, either without their knowledge or even with ‘consent’, when doing so is hugely disproportionate to the business objectives or benefits the organisation is seeking to achieve.
Given the concept of No-Go Zones (at least in the context of PIPEDA) is premised around what a ‘reasonable’ person would consider appropriate in the circumstances, the above list of prohibited practices will likely evolve over time, as acknowledged in the OPC’s guidance.
A go for No-Go Zones?
Just like consent, No-Go Zones are not a panacea to the challenges of complex data flows, or unexpected and inappropriate data processing by organisations. However, they may have a role to play in strengthening privacy protections for individuals, should we as a society decide that certain data practices are simply not acceptable, regardless of whether we provide consent or not.
Victorian Information Commissioner Sven Bluemmel often uses buildings as a useful comparison: governments set standards and processes around the safety of buildings to ensure they’re safe for people, and so when we walk into one we assume that we can do so safely. We don’t get asked for consent to walk into a dangerous building – we’re simply not allowed. And yet when it comes to our privacy, we are often asked to consent to practices that could potentially place us in harmful situations. Perhaps like dangerous buildings, inappropriate or potentially harmful data practices should simply be unacceptable.
Of course, this approach would have its own challenges: how do we as a society decide what is an appropriate or inappropriate collection, use or disclosure of our personal information, given the vast array of views, beliefs, and practices within society? How do No-Go Zones fit into or alongside principles-based privacy legislation? How can organisations be expected to tailor their data processing practices depending on what country they operate in?
No-Go Zones or not, the public, governments, regulators, and (some) organisations themselves are increasingly seeing the need for current approaches towards privacy protection to strengthen and evolve, amidst the digital landscape and its many complex and unprecedented challenges. Whatever approaches are adopted, all I can say is may the privacy protection be with you, always.
This blog post was written by Tricia Asibal, Senior Policy Officer, Office of the Victorian Information Commissioner. The views expressed in this post are the author’s own and do not necessarily reflect the views of OVIC.