North America

On May 24, 2018, the Office of the Privacy Commissioner of Canada published two important guidance documents in respect of activities regulated pursuant to the Personal Information Protection and Electronic Documents Act (“PIPEDA”):

Guidelines for Obtaining Meaningful Consent (the “Consent Guidelines”), which includes a checklist for consent and is effective on January 1, 2019;  and

Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3) effective on July 1, 2018 (the “Data Practices Guidance”).

The publication of the above guidance documents comes on the heels of the Commissioner’s consultation on consent and the recent updating of guidance on “Recording of Customer Telephone Calls “. In this bulletin, we review the Consent Guidelines and Data Practices Guidance and highlight implications for organizations that are subject to PIPEDA.

Guidelines for Obtaining Meaningful Consent

The Consent Guidelines provide that organizations should follow seven key principles in seeking to obtain meaningful consent under PIPEDA. These are reviewed below.

 

1.  Emphasize key elements

Emphasizing key elements in consent (and any associated public-facing privacy policy) can improve an individual’s understanding of the consequences of giving consent, and thereby contribute to meaningful consent. The Consent Guidelines provide that organizations must generally put particular emphasis on the following elements:

  • What personal information is being collected, used and disclosed: Organizations should identify all information that will or may be collected, with sufficient precision to permit individuals to understand what they are consenting
  • The purpose for which the information is being collected, used or disclosed: Organizations should describe these purposes in sufficient detail to ensure that individuals have a meaningful understanding of them; vague descriptions should be Any purposes that are not integral to the provision of the organization’s products or services, and any uses that would not be reasonably expected given the context, should be emphasized.
  • Information-sharing with third parties: Where organizations share information with a large number of third parties, or where the parties may change over time, an organization should list the types of organizations with which they are sharing information, and give users the ability to access more details if they Any third parties that will be using the information for their own purposes, rather than for advancing the purposes of the first party, should be emphasized.
  • Whether there is a risk of harm arising from the collection, use or disclosure of information: Organizations should consider emphasizing harms that may be associated with the activity for which consent is sought, including both direct as well as indirect harms (e.g. unauthorized use of information). The risk of harm refers to any risk of significant harm (that is, more than minimal or a mere possibility) after accounting for any mitigating procedures taken by the Individuals must be aware of the consequences of their consent in order for that consent to be meaningful. This includes indirect risks, such as third party misuse of information.
2.   Allow individuals to control the level of detail

Organizations should make privacy disclosures more manageable and accessible by allowing individuals to decide how, when, and how much information about an organization’s privacy practices the individual accesses at any given time. Layered disclosure is one such approach. Layered disclosure starts by displaying more abstracted, general information, and allows individuals to obtain more detail on discrete topics if they wish. Additionally, privacy disclosures should be readily available so that an individual can return and re-read about an organization’s privacy practices. This approach supports meaningful consent, as it allows individuals an opportunity to reconsider and potentially withdraw consent if they object to any of the organization’s practices.

3.   Provide individuals with clear options to say ‘yes’ or ‘no’

Organizations must not require individuals to consent to the collection, use or disclosure of more information than is necessary for the product or service which is being provided. For a collection, use, or disclosure to be “necessary”, it must be integral to the provision of that product or service (i.e. required to fulfill the explicitly specified and legitimate purpose). If any other information is to be collected on an opt-in or opt-out basis, individuals should be able to choose whether or not to consent to the collection of this additional information, and this choice should be clear and accessible, unless an exception to consent applies.

4.   Be innovative and creative

Organizations should think about moving away from simply transposing paper-based policies into their digital environments, and seek innovative ways to obtain consent. J’ ust-in-time’ notices, for example, are an alternative to obtaining all consents ‘up-front.’ For example, a cell phone application that, rather than asking for access to location data upon installation, asks for this consent the first time the individual attempts to use the application in a way which requires location data, provides more context to the individual and a better understanding of what is being collected and why. Other interactive tools such as videos, or click-through presentations which explain privacy policies, and mobile interfaces, could also be used. Additional information regarding mobile apps is provided in the Commissioner’s guidance: “Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps “.

5.   Consider the target individual’s perspective

To ensure that consents and privacy disclosures are user-friendly and understandable, organizations must be mindful of the perspective of target individuals. This involves the use of an appropriate level of language, clear explanations, and a comprehensible display. It also involves consideration of the types of devices that target individuals will be using (laptops, mobile phones, tablets, etc.). Organizations may wish to understand the perspective of target individuals by consulting with them, running pilot tests and focus groups, engaging with privacy experts, and following industry best-practices.

6.   Make consent a dynamic and ongoing process

Consent should be an ongoing, dynamic and interactive process (and not a one-off process). Periodic reminders and refreshers about an organization’s privacy practices should be implemented, as well as an ongoing and practical ways for individuals to obtain more information.

7.  Be accountable: stand ready to demonstrate compliance

Organizations should be ready to prove that they have obtained meaningful consent, including showing that their consent process is understandable and accessible. One such way to do this is for organizations to be aware of these guidelines, as well as the guidance provided by the Commissioner in “Getting Accountability Right with a Privacy Management Program “, and to show that they have followed them.

Additional topics addressed in the Consent Guidelines Appropriate form of consent

In addition to the seven guiding principles above, the Guideline reminds organizations of the need to consider what type of consent is appropriate given the circumstances. While in some situations implied consent may be adequate, there are some circumstances which will generally require express consent, including: (a) when the information being collected, used or disclosed is sensitive in nature; (b) when an individual would not reasonably expect certain information to be collected, used or disclosed given the circumstances, and (c) when there is a more than minimal risk of significant harm.

Consent and children

Another contextual factor is whether the target individuals include children. When children are involved, organizations should take into account the fact that children will generally have different emotional and cognitive processing abilities than adults. This affects their ability to understand how their personal information is being used, and hence will affect their ability to give meaningful consent. The OPC requires that, for children 13 and under, a parent or guardian give consent on the child’s behalf. When the target individuals include minors who are able to provide consent themselves, organizations should still take their maturity into account, and should be ready to show how they have done so.

At the conclusion of the Consent Guidelines, the Commissioner provides a useful checklist of “Should do” and “Must do” action items for organizations seeking to obtain meaningful consent under PIPEDA.

Guidance on Inappropriate Data Practices

Concurrently with publishing the Guidelines, the Commissioner published the Data Practices Guidance , which sets out various considerations that organizations should keep in mind when assessing whether a certain practice may be contrary to subsection 5(3) of PIPEDA.

Subsection 5(3) of PIPEDA is an overarching requirement which provides that: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.” In order words, even with an individual’s consent, there are certain purposes that would be unacceptable under PIPEDA on the grounds that a reasonable person would not consider them to be appropriate.

Like meaningful consent, whether or not a purpose is inappropriate requires a contextual approach. As summarized in the Data Practices Guidance, the following factors have been applied by the Commissioner and the courts:

  • Whether the organization’s purpose represents a legitimate need / bona fide business interest; Whether the collection, use and disclosure would be effective in meeting the organization’s need;
  • Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
  • Whether the loss of privacy is proportional to the benefits (which includes consideration of the degree of sensitivity of the personal information at issue).

In addition, as set forth in the Data Practices Guidance, the Commissioner has established a list of prohibited purposes under PIPEDA, which they have deemed “No-Go Zones.” The Commissioner considers that a reasonable person would not consider the collection, use or disclosure of information to be appropriate in these circumstances. Currently, the list of “No-Go Zones” may be summarized as follows:

  • Collection, use or disclosure that is otherwise unlawful (e.g. violation of another law);
  • Collection, use or disclosure that leads to profiling or categorization that is unfair, unethical or discriminatory in a way which is contrary to human rights law;
  • Collection, use or disclosure for purposes that are known or likely (on a balance of probabilities) to cause significant harm to the individual (e.g. bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record or damage to or loss of property);
  • Publishing personal information with the intended purpose of charging individuals for its removal (i.e. “blackmail”); Requiring passwords to social media accounts for the purpose of employee screening; and
  • Surveillance by an organization through the use of electronic means (e.g. keylogging) or audio or video functionality of the individual’s own device.

While these “No-Go Zones” are important to note, organizations should also remember that the list is not binding, determinative or exhaustive, and that subsection 5(3) requires a contextual analysis. What a reasonable person would consider appropriate is a flexible and evolving concept which will be revisited by the Commissioner from time to time.

Implications for organizations subject to PIPEDA

The Commissioner’s guidance documents do not have the force of law and are not binding on organizations. However, they plainly set out the Commissioner’s expectations, provide a benchmark against which the Commissioner will assess practices in the context of a complaint, audit or investigation, and provide a useful reference for organizations seeking to comply with PIPEDA.

It is also important to note that, over time, previous Commissioner guidance documents, including “Guidelines for Processing Personal Data Across Borders “, have come to set the de facto standard and practices under PIPEDA. Organizations should familiarize themselves with the new guidance documents and consider steps to amend practices as necessary. For example, organizations which use mobile and online interfaces can refer to work which is already being done regarding the implementation of privacy icons, and privacy dashboards to help obtain meaningful consent. These and other potential solutions are discussed in the Commissioner’s discussion paper, “Consent and Privacy “.

Finally, in considering compliance with the new guidelines discussed in this bulletin, organizations should be mindful of the consequences of failing to obtain meaningful consent or failing to process information for appropriate purposes as required by PIPEDA. For example, a failure to obtain meaningful consent from a large number of individuals could undermine the basis upon which key business operations are premised. This could not only render those operations non-compliant with PIPEDA but also give rise to class action litigation risk for a privacy breach (e.g. processing personal information for commercial purposes without adequate consent).

 

Authors

Alex Cameron Daniel Fabiano Robin Spillette
Alex Cameron
PARTNER
Toronto, ON
Daniel Fabiano
PARTNER
Toronto, ON
Robin Spillette
SUMMER STUDENT
Toronto, ON

© 2017 Fasken Martineau DuMoulin LLP

Related Articles by Firm
New transparency registry for all private BC companies in the offing
If the bill comes into force it will have far reaching compliance consequences for all private BC companies.
Privacy Commissioner of Canada reverses position on transfers of personal information for processing
The Commissioner has made a surprising reversal of its long-standing position on the transfer of personal information.
Changes are coming!
Five factors to consider when reviewing your Canadian trademark strategy in 2019.
The Canadian gig economy: Embracing the future of work
Instead of quashing models that have the potential to empower the workforce, better protections for gig workers are needed.
A closer look at Canada’s budget
Fasken’s team examines important budget 2019 measures — some which made headlines, and others that should not escape notice.
Selected tax measures in Canada's 2019 federal budget
The budget contains significant proposals to amend income and excise taxes, while also providing updates on previously announced tax measures and policies.
OSFI issues advisory on technology and cyber security incident reporting
The Advisory reflects the fact that OSFI is very focused on this increasingly significant area of risk.
Health Canada pushes for safer medical devices
The announcements foreshadow significant near-term changes to Canada's medical device regulatory regime.
USMCA impact on communications industries
How the US-Mexico-Canada Agreement affects telecommunications, broadcasting and digital trade.
Surprise changes seek to modernise Canadian trademarks law and practice
This bulletin looks at key proposed changes to trademark law in Canada.
Time limits for retaining information about employees
Retention of personal information carries various obligations, particularly in terms of access to the information and confidentiality.
Further hurdles for regulatory approval of notifiable mergers in South Africa
On July 12, the Competition Amendment Bill was introduced in Parliament, substantially revising the earlier version of the Bill.
Hitting the sweet spot: Regulation of sweetened alcoholic beverages
Health Canada issued a notice of intent to restrict the amount of alcohol in highly sweetened alcoholic beverages.
Significant changes proposed to Canada’s AML/ATF regime
The Proposed Regulations are wide ranging and include a number of substantive changes as well as technical amendments.
Cybersecurity risks for directors and officers
The cybersecurity field is ripe for affected stakeholders to test claims that directors and officers have failed to discharge their duties.
Cybersecurity Risks for Directors and Officers
Directors and officers in Canada face increased risk of personal liability and threats to job security in relation to cybersecurity...
Proposed changes to Canada's anti-money laundering and anti-terrorist financing regime
A consultation paper released in February could potentially have broad implications for Canada's AML/ATF regime.
Bill 148 Update: Scheduling and the three-hour rule
The Fair Workplaces, Better Jobs Act, 2017 makes significant changes to the Employment Standards Act, 2000.
Does your non-competition clause really protect you?
Or does it merely offer the illusion of protection? What you need to know about the validity and enforceability of a non-competition clause.
Canada: Selected Tax Measures in the Federal Budget 2018
Canada's 2018 Federal Budget contains significant proposals to amend the Income Tax Act and the Excise Tax Act while also providing updates on previously announced tax measures and policies ...
Expect the Intersection of Privacy and AI in 2018
We must consider how to regulate, or at least control, the use of artificial intelligence at different levels ...
Energy Licences and Approvals in Canada
Update on Directive 067: Eligibility Requirements for Acquiring and Holding Energy Licences and Approvals ...
Canada to Revise Tax Voluntary Disclosures Program
Effective March 1, 2018: New Regime will Result in Limited Relief for Certain Taxpayers Disclosing Errors and Omissions ...
Canada: New CASL Ruling
CRTC Provides Guidance on B2B Messaging and the Due Diligence Defence ...
Corporate Parent Liability: Litigation Risks for Resource Companies
Traditionally, parent companies have been considered legally distinct entities and thus immune from the actions of their subsidiaries, a concept described as the “corporate veil”. This position is now being challenged ...
Canada: No Duty to Consult Triggered by Omnibus Changes to Environmental Laws
In Canada (Governor General In Council) v. Courtoreille, 2016 FCA 311, the Federal Court of Appeal found that the federal government did not owe a duty to consult when it developed and implemented changes to environmental legislation through two omnibus bills ...
The Global Reach of Canadian Privacy Law
Federal Court Issues Landmark Ruling in Globe24h ...
Temporary Foreign Workers in Canada: Employer Compliance Rules
The regulations that govern applications for work permits provide a very strict framework for employers who hire temporary foreign workers in Canada ...
Canada is Open for Business
Trump and the Changing Political Landscape in the US ...
Primer on Procurement Rules in the New Canadian FTA
Fasken Martineau Releases Primer on Procurement Rules in the New Canadian Free Trade Agreement ...
Canada: Donald Trump, Paris and the Climate Policy Two­-Step
Will the U.S. withdrawal from the Paris Agreement fundamentally alter Canada's course?
China’s Priorities for a Free Trade Agreement with Canada
Analysis of Chinese language commentary, news media and academic studies, reveal some of China's top priorities for a free trade agreement with Canada ...
Canada: New Authorities under Vanessa's Law
On June 18, 2016, the Federal Department of Health published a Notice of Intent to amend the Food and Drug Regulations and the Medical Devices Regulations to implement key authorities under Vanessa's Law...
Canada: Consultation on New Health Regs for Self-Care Products
Health Canada is seeking consultation on new standards for self-care products, over-the-counter drugs, natural health products and cosmetics ...
Private right of action under Canada’s Anti-Spam Law
As of July 1, 2017, individuals and organizations will be entitled to institute a "private right of action" before the courts against those that contravene certain provisions of Canada's Anti-Spam Law ...
New Federal Consumer Protection Regime for Bank Customers
Canada: The government has introduced a bill which proposes to create a comprehensive federal consumer code and strengthen federal jurisdiction over provincial jurisdiction with respect to products and services of banks.
Canada: Alberta's Renewable Electricity Program
Alberta released details of the Renewable Electricity Program to accelerate the development of renewable power generation through a competitive bid process.
Certainly Uncertain: Construction Trusts after Iona in Canada
A recent decision clarifies the law regarding provincial statutory trusts in the insolvency context, particularly in the construction sector.
The Fight against Climate Change and the Overhaul of Canada's Environment Quality Act
A bill allows government to require a "climate test" from a project proponent.
Health Canada Is Cracking The Whip On Advertising Violations
On January 21, 2016, various hospitals, natural health product manufacturers, physicians and pharmaceutical companies found themselves specifically named by Health Canada in a published list of health product advertising complaints ...
Canada: New Strategic Plan for the Patented Medicines Prices Review Board
The Strategic Plan comprises a fresh vision, a revised mission statement and four new strategic objectives ...
Transport Canada Promises New Drone Regulations
Increase in popularity has had a direct effect on risks involved for the safe use of regular aircraft ...
N. America: Northern Gateway Pipeline
Province must consult and decide but may impose conditions
Canada: Tinkering with Title - Don’t Get Caught by Surprise
The Mining Amendment Act 2015 proposes a new electronic mining lands administration system in Ontario.
New Lobbyists’ Code Will Restrict Dealings with Canada’s Federal Government and Agencies
Canada's new Lobbyists' Code of Conduct will significantly restrict the activities of lobbyists and others seeking to influence federal decision making.
Righting a Wrong: Canadian Regulators Improve the Rights Offering Regime
Canadian regulatory authorities recently overhauled how prospectus exempt rights offerings are to be conducted going forward.
A change of role for a legal representative under the new Clinical Trials Regulation 536/2014?
The roles and responsibilities of the legal representative set out under Clinical Trials Directive 2001/20/EC are likely to change under the new Clinical Trials Regulation 536/2014.
Historic Court of Appeal Decision in Dunkin' Brands: Three Lessons for Franchisors in Canada
The Quebec Court of Appeal has specified the intensity of the franchisor's implied obligations in what is the most significant franchise case in Québec since 1998.
New Compliance Form and Fee for Employers of Foreign Work Permit Applicants in Canada
Employers whose foreign employees must apply for a work permit or extension should be aware of a new Compliance Form and Compliance Fee that they must submit before the person applies for the work permit in Canada.
Use of Trademarks As Metadata & #Hashtags in Canada
A recent decision of the Federal Court of Canada provides guidance on the proper use of IP in this digital world that brand owners need to know now.
Claims that Involve a Fixed Dosage and Schedule Can Constitute Patentable Subject Matter
The Canadian Intellectual Property Office has issued a revised guidance which provides clear instructions on how to approach medical use claims and determine whether such claims are eligible for patent protection.
The Application of the Bhasin Principle of Good Faith in Canada: An Early Example
A recent decision from the Supreme Court of British Columbia provides an early example of how courts will apply the general principle of good faith in Canada.
The TPP Agreement: A Canadian Business Perspective
The TPP will impact goods access and other aspects of Canadian businesses.
Foreign Corruption and the Integrity Framework in Canada: A Difficult Corporate Board Dilemna
Canada's Integrity Framework raises difficult choices for corporate board directors and management regarding voluntary disclosure of prior foreign corrupt activity of an acquired company.
Canada-EU Comprehensive Economic and Trade Agreement Negotiation Completed: Additional Protection for Innovative Pharmaceutical Products
If ratified, key intellectual property provisions in the Canada-EU trade pact will provide additional protection for innovative pharmaceutical products.
An Update on the Proposed EU Revisions to the Regulation of Medical Devices
The proposed European regulatory regime will merge the directives on Medical Devices and Active Implantable Medical Devices into a single regulation and wholly replace the current regulation on In Vitro Diagnostic Medical Devices.
UK FCA consults on requirements for reports on payments to government
While Canada does not currently have a reporting regime for payments to governments, a process is underway to ensure that a regime is implemented in the near future.
Trademark Use: an Important Shift in Canada
Bill C-31, which was given royal assent on June 19, 2014, will eliminate the requirement that a trademark be used in order to be registered in Canada.
Intellectual Property Protection - Industrial Designs
Many companies will consider the availability of and merits of seeking patent and/or trade-mark registration. However, one form of IP protection that is often overlooked is an industrial design registration.
Protocol to Amend the Canada-UK Tax Treaty
The Canada-United Kingdom Tax Convention was amended with the signing of a protocol on July 21, 2014. This article will describe some highlights of the Protocol and comment on the impact of these provisions on cross-border tax issues between Canada and the ...
The end of the Canadian "iPod Tax" saga
The "Certain Televisions Remission Order" confirms that, in fact, there is not now, and never actually was, "tax" on "iPod" imports to Canada.
Updating Canadian Trademark Filing & Registration Strategies
Here are some key trademark filing strategies for avoiding or minimizing the potential impact of recent amendments to the Canadian trademark landscape.
The Canadian insurance M&A environment
There have been a significant number of insurance company M&A transactions in the Canadian market in recent years, a trend expected to continue. Fasken Martineau DuMoulin have surveyed the acquisition agreements from these transactions and analysed ...
Merger control and foreign investment review in Canada
Fasken Martineau DuMoulin’s Huy Do and Jack Yu1 write that acquisitions of, or investments in, Canadian businesses can give rise to merger control and foreign investment reviews. ...
Related Articles
Related Articles by Jurisdiction
Changes are coming!
Five factors to consider when reviewing your Canadian trademark strategy in 2019.
Righting a Wrong: Canadian Regulators Improve the Rights Offering Regime
Canadian regulatory authorities recently overhauled how prospectus exempt rights offerings are to be conducted going forward.
Canada: New Strategic Plan for the Patented Medicines Prices Review Board
The Strategic Plan comprises a fresh vision, a revised mission statement and four new strategic objectives ...
Latest Articles