Unquestionably, personal data is the economy’s “new oil” and Canadian organizations face compliance challenges like never before. It is noteworthy, therefore, that last week the federal Office of the Privacy Commissioner (OPC) released a new Privacy Guide for Businesses (the Privacy Guide) and the Ontario Ministry of Government and Consumer Services released a public consultation on Reforming Privacy in Ontario’s Private Sector.
The Privacy Guide provides a high level overview of PIPEDA including the fair information principles.
The Privacy Guide has some interesting interpretations of PIPEDA. Here are a few examples.
Territoriality of PIPEDA
According to the Privacy Guide:
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
It is true that PIPEDA can apply to organizations that collect, use, or disclose personal information that crosses borders, whether provincial or national. In this regard, courts have applied the real and substantial connection test to ascertaining the territorial scope of PIPEDA. Lawson v. Accusearch Inc., 2007 FC 125, A.T. v. Globe24h.com, 2017 FC 114. However, to meet this test there must be a sufficient connection between Canada (or a province) and the activity. Merely because a business operates in Canada and some personal information handled crosses borders is unlikely always to be enough to satisfy the real and substantial connection test.
Express and Implied Consents
The Privacy Guide spends considerable effort on explaining what is required for a valid PIPEDA consent. It says:
Consent can only be required for collections, uses or disclosures that are necessary to fulfil an explicitly specified and legitimate purpose. For non-integral collections, uses and disclosures, individuals must be given a choice.
This statement is a gloss on PIPEDA principle 4.3.3 which is stated in somewhat narrower terms:
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
The Privacy Guide also contains guidance on when express consents are required. The Privacy Guide provides three examples of when express consents are required.
Determine the appropriate form of consent: obtain express (explicit) consent for collections, uses or disclosures which generally: (i) involve sensitive information; (ii) are outside the reasonable expectations of the individual; and/or (iii) create a meaningful residual risk of significant harm. (emphasis added)
In another statement, the Privacy Guide provides a somewhat broader statement on when express consents are required:
Form of consent It is important for organizations to consider the appropriate form of consent to use (express or implied) for any collection, use or disclosure of personal information for which consent is required. While consent should generally be express, it can be implied in strictly defined circumstances. Organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context. (emphasis added)
The statement that consents can be implied only “in strictly defined circumstances” is also in the OPC’s May 2018 Guidelines for obtaining meaningful consent and is derived from the statement of the Supreme Court in Royal Bank of Canada v. Trang, 2016 SCC 50. So is the further explanation that an implied consent is acceptable based on the reasonable expectation of individuals and the context.
The Privacy Guide listed several “related links” on the subject of consent, but did not refer to the OPC 2014 Guidelines for Online Consent which clarifies when implied consents can be obtained online.
In the offline world, consent is often expressed through a signature. Online, it is more difficult to show consent in a form that is unambiguous and universally recognizable. Under privacy legislation, any online statement or behaviour that can reasonably be interpreted to mean consent, either explicitly or implicitly, may be acceptable depending on the circumstances. However, there should not be any doubt that consent has been given.
Consent can also be expressed by an action, for example, downloading an application after reading what personal information the application will be accessing and how it will be used. Consent can sometimes be inferred by non-action, for example, where an opt-out option has not been exercised. Organizations are free to come up with architecture that works best in a given environment, keeping in mind that consent should be expressed in an appropriate form depending on the nature of the information, the context, and the reasonable expectations of users.
The OPC also did not refer to its 2012 Fact Sheet, Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents Act which provides further insight as to when consents can be inferred under PIPEDA.
The CSA Model Code says “Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual”. This covers situations where the intended use or disclosure is obvious from the context and the organization can assume with little or no risk that the individual, by providing the personal information, is aware of and consents to the intended use or disclosure. Thus, where circumstances indicate that an individual has a certain understanding, knowledge, or acceptance, or certain information has been brought to the attention of an individual, consent might be implied.
Transfers of personal information
The Privacy Guide asserts that when an organization transfers personal information to third parties it must “obtain appropriate consent from the customer/client for the transfer”. This statement is not consistent with, or at least fully consistent with, the longstanding opinion of the OPC that a “transfer” of personal information “is a use by the organization” and “is not to be confused with a disclosure”. Thus, as confirmed by the OPC in a recent decision:
when an organization transfers personal information to a third party for processing, the third party can only use the personal information for the purposes for which the information was originally collected. If the information is being used for a purpose for which it was originally collected, additional consent for the transfer is not required.
Matters not addressed
While the Privacy Guide is useful, it does not, perhaps unsurprisingly, address some of the thorny issues that are currently the subject of law reform review both federally and in Ontario. For example, the Privacy Guideline does not address these issues raised by the Ontario Ministry of Government and Consumer Services in its public consultation on Reforming Privacy in Ontario’s Private Sector.
- The right for individuals to request information related to them be deleted or deindexed, subject to limitations (this is otherwise known as “erasure” or “the right to be forgotten”).
- The right for individuals to obtain their data in a standard and portable digital format giving individuals greater freedom to change service providers without losing their data (this is known as “Data Portability”).
- Requirements and opportunities to use data that has been deidentified and derived from personal information, to provide clarity of applicability of privacy protections.
- Circumstances where consents to use personal information may not be necessary, practicable or appropriate.
The OPC recently issued a statement and an opinion on the compatibility of contact tracing apps with Canadian privacy law. See, Supporting public health, building public trust: Privacy principles for contact tracing and similar apps, Joint Statement by Federal, Provincial and Territorial Privacy Commissioners, Privacy review of the COVID Alert exposure notification application. In its analysis, the OPC applied a “Necessity and Proportionality” assessment. It would be useful for the OPC to explain the grounding and applicability of this principle under PIPEDA. The Privacy Guide might have been a good place for this.
The Ontario privacy consultation document strongly suggests that Ontario plans to enact a comprehensive privacy law similar to what Quebec, Alberta, and BC have done. This would likely provide much needed privacy protection for gaps in our laws such as privacy protection for employees of non-federally regulated enterprises. However, such a law also raises the prospect of inconsistencies between federal and provincial laws and increased compliance costs for organizations that carry on business across Canada including to address inconsistencies between laws and multiple and potentially overlapping investigations and enforcement proceedings. It also raises the prospects organizations facing hefty fines for privacy violations in more than one Canadian jurisdiction, especially if there is no rule that designates one privacy commissioner as the lead enforcement regulator. This consultation is something that must be taken seriously by organizations that carry on business in Ontario.