Thank you very much for the question.
I think the real issue is what has been happening with the digital economy and with services, as you can see. Certainly, since PIPEDA came into force, the idea of consent has changed. Instead of protecting us as individuals, it provides companies with loopholes, these seven pages of legalese, to say that we as individuals have agreed to all further collection, use, and disclosure practices.
The idea that, in this day and age, we can provide meaningful consent is broken, and has been for quite some time. That's why, in the academic world, if we're talking about a privacy framework for the 21st century, there is a lot of thought as to whether we shouldn't be moving beyond just focusing on consent as a gateway, such as saying that if someone consents then everything is fine. We should really be restricting what companies do with the information they collect. We should see a lot more regulation of uses and disclosures, not enabling of organizations to say, “Well, I've got somebody ticking a box over here, therefore I can go ahead and do whatever I want.”
This is a serious concern, especially when you're talking about this new kind of big data analytics in which companies are trying to collect a lot of information, do what we call free-form analysis, look for correlations, and do the type of predictive analytics that then make the headlines. For example, Target sent a notice to the family of a teenager that their daughter was pregnant. The father didn't know, but Target staff knew because they punched the numbers.
Regulation of use is what is required in this day and age, not just focusing narrowly on consent. Organizations will find the loopholes. They'll use legalese and write long agreements. That has not been helpful so far.