GTC UPDATE: PRIVACY GUIDANCE IN CANADA

GTC Law Group PC & Affiliates[1]

Updated:  October 15, 2017

Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) sets high and sometimes difficult standards of “meaningful” consent.  To try to help, Canada’s Office of the Privacy Commissioner (OPC) published, on September 21, 2017, a Report on Consent as part of its Privacy Act Annual Report to Parliament (Annual Report).[2]  Reflecting consultation with businesses and with the public, the Report provides some guidance on consent and its alternatives, promising more in the future.  Somewhat more ominously, the Annual Report also proposes a shift from the current reactive, complaint-driven model of enforcement to a more pro-active model in which the OPC would conduct voluntary and involuntary audits to verify compliance with privacy laws, augmented by new powers to award damages and administer fines.

 

Meaningful Consent: A key finding is that privacy policies are often too lengthy, complex and ambiguous, making it difficult for individuals to understand how their personal information will be used or disclosed, thus undermining meaningful consent.  To remedy this, the Report on Consent proposes seven guiding principles for privacy policies.[3]  Some of their statements are very general in nature (Example: Principle #4: “ Be Innovative and Creative”), but the Report includes specific examples that are directive and helpful (“[I]f a user’s age is being requested to register for an online service, a just-in-time notice explaining why this information is needed should appear near the space where the user would input the information.”).  Companies can and should harvest language from these examples for their policies whenever the examples are relevant.  The Annual Report also notes that the OPC plans to issue further guidance on online consent and “no-go” zones such as profiling or categorization that leads to unfair, unethical or discriminatory treatment where the use of personal information, even with consent, should be prohibited as inappropriate.

 

Alternatives to Meaningful Consent:  A major problem with Canada’s privacy legislation is that it does not differentiate between routine one-on-one interactions between organizations and individuals (e.g. an individual providing personal information when making an online purchase) and newer technologies (e.g. search engines that return billions of search results each day that may or may not contain an individual’s personal information). PIPEDA purports to require meaningful consent for both, but obtaining consent in the latter case may be near impossible.  The OPC acknowledges that the rapid evolution of technology challenges Canada’s privacy legislation, especially regarding meaningful consent:  “[S]earch engine indexing websites and big data analytics are just two examples where the volume and velocity of information collection and use may make consent impracticable.” In cases where consent is difficult to obtain, the OPC suggests adopting the concept of “legitimate interests” which is a recognized exception to consent in European law.  However, the European approach is too broad for the OPC, which would prefer a more targeted approach. Specifically, the exception should (i) “apply only in cases where the societal benefits – and not just the benefits to the organization – clearly outweigh the privacy incursions” and (ii) meet prescribed legal conditions. The OPC also wants to tie the exception to stronger pro-active enforcement powers.

What to do?

The OPC’s effort to provide meaningful guidance to meaningful consent is laudable, and the specific examples provided under its seven principles provide help to businesses struggling to comply with PIPEDA.  These principles and examples can profitably be studied and applied to the privacy policies of any company doing business in Canada.  The OPC’s prediction of more guidance in the future, combined with broader enforcement powers, also serves to emphasize that any company doing business in Canada must keep a close eye on developments there and be prepared to change and adapt its privacy policies to the evolving regulatory environment.

[1] Prepared by Laila Paszti under the supervision of GTC Shareholder Thomas M.S. Hemnes.  Laila is admitted to practice in New York and Ontario (Canada). Tom is admitted to practice in Massachusetts, England and Wales. This Update discusses certain legal and related developments and should not be relied upon as legal advice, or as legal guidance for particular circumstances. Readers are cautioned against making any decisions based on this material alone.

[2] Office of the Privacy Commissioner, 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act, September 20, 2017. (see at https://www.priv.gc.ca/media/4586/opc-ar-2016-2017_eng-final.pdf) (“Report)

[3] The principles can be found on OPC’s website: https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-consent-under-pipeda/gl_moc_201709/.