You've described a number of situations. Consent is certainly a fundamental principle of PIPEDA, in the relationship between consumers and commercial organizations. However, as I said in my opening remarks, I think it would be useful to consider whether consent, given the complexity of technology and business models, will always offer a meaningful privacy protection, or whether we should look at other mechanisms, such as legitimate interest under the GDPR. That's for the commercial sector.
With respect to the public sector, consent is not as fundamental. It is an element, but there are a number of situations where the government can require, from an individual's data, personal information for service delivery. If I put the two together, the use of information either to deliver government services or to offer services for a company, I think it's important to recognize that data can be useful to either the public or the private sector to offer better services.
The issue is how to properly manage that information and—very importantly, from my perspective—have the right legal framework to ensure that the actors, whether it's government departments or companies, handle that data in a responsible way. It should also ensure that there is a third party, currently my office, with powers to protect individuals, because individuals will not be able to protect themselves completely when facing large corporations or large departments.
I'm not against the collection, use and sharing of information to improve services, but I think that our current frameworks in Canada are lacking.
