Is Consent the Foundation of Fair Information Practices? Canada's Experience Under PIPEDA

Abstract

Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) implements what are known internationally as information Within this model of data protection, privacy is often seen to be the core interest protected and individual consent to the collection, use and disclosure of personal information is the central vehicle through which this protection is accomplished. This paper argues that the alleged centrality of consent to the protection of privacy is misplaced: all derogations from consent are not necessarily derogations from privacy. A number of reasons support this claim. First, there are persuasive arguments that individual consent is neither necessary nor sufficient for the adequate protection of privacy. Second, consent is not the only norm operating to limit the collection, use and disclosure of personal information within different articulations of fair information practices. Third, decisions rendered under PIPEDA so far indicate that where individuals are properly notified regarding the for the collection of their personal information and that collection is found to be reasonable, a finding of consent usually follows. This suggests that it is reasonable purposes that holds out the most promise for strong privacy protection and is therefore deserving of greater attention by the privacy community.