ICTC’s Rob Davidson and Mairead Matthews attended the BC Freedom of Information and Privacy Association’s Data Privacy Jam on Meaningful Consent in March, alongside 25 of the brightest minds on privacy in Canada. This piece was inspired by the many, fruitful conversations that began by asking a single question: What does meaningful consent look like in a ‘smart’ and data-driven world?
In many areas of our lives, saying ‘yes’ to privacy policies has become a necessary prerequisite to access–whether that be access to lower insurance rates, personalized banking, or other products and services. Saying ‘no’ in this context means missing out on tailored, or higher quality services and settling for the fall-back option: the basics. In the absence of a fall-back option, however, saying no means much more. In the workplace or in education, for example, it can mean losing access to a new job opportunity or to higher quality education.
Employees, students, and consumers are increasingly being asked to trade their personal information for access to education, the workforce and consumer products, giving rise to a brand-new class of gatekeeping.
Gate·keep·ing / noun / the activity of controlling, and usually limiting, general access to something.[i]
Gatekeeping emerges most often when there is unequal power distribution between two or more parties, and therefore unequal ability to control access to something. In controlling access, gatekeepers will usually also control the terms.
The clearest and perhaps most well-known example of gatekeeping lies with the media. Media companies–newspapers, broadcasters, publishers, record labels, and now, social media networks–act as gatekeepers by filtering information for dissemination to the public, and in so doing, they control access to that information. This becomes increasingly more apparent as newspaper companies around the world move to introduce pay walls for their content.
Naturally then, privacy setting-induced gatekeeping has emerged most forcefully in places where there are clear and exorbitant power imbalances: in the workplace; in education; and in low-competition commercial environments.
- In the workplace
Employee information is governed by a complex web of federal and provincial privacy legislation, collective bargaining agreements, legal decisions, and the Charter of Right and Freedoms. In short, employers are expected to balance their right to collect employee information with their employees’ rights to privacy. Although it’s worth noting that in some cases, employee information can actually be collected and used without consent, so long as it is reasonable and for purposes related to employee management.
A best-case scenario might involve two-way negotiations between employers and employees shortly after hiring, resulting in individually tailored privacy policies where necessary.
In practice, workplace privacy tends to be a one-way street. Employers provide new employees with a complex set of privacy policies to be signed during the onboarding process, alongside a myriad of other work-related requirements, such as dress codes, IT policies, or codes of conduct. In this context, agreeing to workplace privacy policies is a necessary prerequisite to employment, with little to no ability to renegotiate the terms.
This may seem insignificant in workplaces where employers do no more than collect basic personal information and performance data, but in others, access to the workforce can mean signing up for Facebook, carrying around a GPS tracker, wearing a body camera, or installing a computer application that monitors your day-to-day behaviour.
- In education
Data collection is by no means new to Canada’s education system: schools across Canada have always collected personal and academic information for student records, and there is a patchwork of legislation in place to govern some aspects of this activity. In Ontario, for example, the collection, use, retention, and disclosure of student information is subject to provisions in the Education Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Act.[ii]
The mass proliferation of education technology, on the other hand, is relatively new to Canadian schools.
On the hardware front, Canadian schools are using everything from Chromebooks and iPads to Raspberry Pi, Sphero, and virtual reality products.[iii] In terms of software, teachers use off-the-shelf apps to communicate with parents about students and their performance at school. Similarly, Canadian universities use email suites and learning management systems like Brightspace for a variety of tasks, including class discussions, handing in assignments, and communicating with students.
In many cases, educational technology is mandatory, but even in situations where it is not, its widespread adoption and the consistent lack of alternatives can leave students and parents to believe that they cannot truly opt out.[iv]
Nonetheless, technology in the classroom is a must-have if students want to be prepared for almost any career today, and any approach to generating meaningful consent in educational contexts should take this into consideration.
- In low-competition commercial environments
Commercial products and services differ between workplaces and educational institutions in that they are, for the most part, not necessary to basic participation in society. In other words, when consumers don’t like the privacy policies associated with a given product or service, they can generally just choose not to pay for it.
While this is the general rule, there are some exceptions. Sometimes there aren’t other companies or service providers to choose from; and other times there are, but they offer the same, low-level of privacy protection.
With enough consumer awareness and demand, the market may eventually correct itself, causing companies to change their privacy policies, or for privacy-friendly options to become available. A good example of this is search engines–despite an initial lack of privacy-friendly competition in the search engine market, new options like DuckDuckGo have since become available.
In situations with heavy power-imbalances–such as in the medical technology space–consumers may not be able to hold-off long enough for the market to correct. Again, in these contexts, saying yes to privacy policies becomes a necessary prerequisite to accessing products and services.
So how might we generate more meaningful consent?
The solution to the problems outlined above is not simple nor obvious. It seems somewhat clear that to generate meaningful consent in the workplace, in education, and in low-competition commercial environments, we will have to find new and innovative ways to shift power imbalances. These approaches will need to be tailored to their specific contexts as well: what works for students and parents in education, may not necessarily work for employees in the workplace.
For unionized employees, it will be important to generate better awareness about privacy in the workplace and negotiate fairer terms in collective agreements. For non-unionized employees, it may be a matter of fortifying existing provincial and federal privacy legislation (e.g. to better support provincial employees in Alberta, Québec, and British Columbia, and the employees of federally regulated organizations), and creating new employee-focused privacy legislation where none currently applies. New or improved regulation could, for example, establish or reinforce access to information, proactive disclosure, or accuracy provisions.
For both employees and students, it will be important to advocate for access to workplace and education technology that allows for personalized privacy settings, both at the hardware and software level.
Finally, for consumers, adjustments to existing competition laws may be needed, such as establishing new provisions on data and data privacy.