To exercise their privacy rights, individuals express preferences to organisations that may collect their data. However, individuals undertake hundreds (if not thousands) of electronic interactions each day.
Just as our technological tools gave us the ability to reach so far, we should have tools that enable us to exercise our rights to the same extent. In the Mid-Atlantic Privacy discussion of Interoperability, we identified this need for global standards for compliance between multiple legal regimes and for cooperation between technical platforms.
Earlier today, a group of stakeholders consisting of technologists, media organisations, and technology companies announced an example of just such a tool: the Global Privacy Control (GPC). In addition to describing the concept of a simple signal that a web browser could communicate to sites, they also posted technical specifications and identified web browsers that have already agreed to participate.
This effort is still in its trial phase, but it shows the power of interoperability - if GPC were to be technically adopted and deemed to fit global legal requirements. With this in mind, how might this standard align with the Personal Information Protection Act (PIPA)?
Some laws contain an express provision with exact language for a "Do Not Sell My Data" opt-out link on a web site. PIPA does not contain that kind of specificity, but GPC nevertheless is a potential solution to meet several obligations under Bermuda law.
Often, web sites will rely on consent as the condition for using personal information (PIPA section 6(1)(a)). This means that an individual must take action with each and every site they visit. Further, if an organisation intends to rely on consent, then it "shall provide clear, prominent, easily understandable, accessible mechanisms" (PIPA Section 6(2)(a)).
GPC provides a clear and binary indication of an individual's choice: if the field value is selected then the individual has requested the data not be sold or shared. If a web site's terms of use or privacy policy includes provisions regarding selling or sharing data, then the individual has not consented to that policy as described. The GPC tool has indicated that the individual has a different preference than to accept those terms. Based on a review of several of the web browsers' intentions regarding GPC, it appears likely to be a prominent, easily understandable, and accessible mechanism in the bowser settings. (As an example, see DuckDuckGo's explanation.)
Regardless of the condition for using personal information, individuals possess privacy rights as described in PIPA Part 3. Among these rights are the ability to "request an organisation to cease, or not begin, using his [or her] personal information":
"...for the purposes of advertising, marketing or public relations," (PIPA section 19(6)); or
"where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual" (PIPA section 19(7)).
Depending on the facts or circumstances involved, either of these rights could possibly be invoked by the type of selling or sharing preferences expressed under GPC.
However, we are in early days. As the GPC group says: "During the initial experimental phase, the GPC signal is not intended to convey legally binding requests." Likewise, with PIPA in its transition period, this analysis is not intended as an endorsement or a requirement to implement GPC - yet, at least. It's certainly a topic to revisit, and an example of the great potential of interoperability.
Alexander McD White
Privacy Commissioner
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Press Background:
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by His Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
About Global Privacy Control: Announced 7 Oct. 2020, details regarding Global Privacy Control may be found on their web site: https://globalprivacycontrol.org.