Written by Ruth Promislow, Stephen Burns and Michael Whitt
As the digital landscape evolves, and the commoditization of personal information increases, expectations as to what constitutes appropriate consent for the collection, use and disclosure of personal information in Canada are also evolving and becoming more onerous.
With the announcement of Canada's Digital Charter, the federal government has moved to bolster the privacy rights of Canadians by identifying 10 key principles, one of which is “consent and control”. Specifically:
Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.
This focus on providing greater control for Canadians over their personal information and privacy aligns with the recent decisions and guidance of Canada's Privacy Commissioner and foreshadows some of the likely changes to the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) which will result from the expected modernization of PIPEDA (identified as one of the first steps toward implementing Canada's Digital Charter).
The modernization proposal focuses on (among other things) meaningful consent. To address this issue, it is proposed that organizations be required to provide individuals with the information they need to make informed decisions, including requiring specific, standardized, plain-language information on the intended use of the personal information, the third parties with which the personal information will be shared, and prohibiting the bundling of consent into a contract.
This proposal is consistent with a number of the recent developments in the evolution of privacy-related consent requirements in Canada. For example:
- May 2018: Guidance from the Office of the Privacy Commissioner of Canada (OPC) identified several principles underlying meaningful consent including the need to provide the consumer with information about: (1) what personal information is being collected; (2) with which parties personal information is being shared; (3) the purpose for which personal information is collected, used or disclosed; and (4) the potential risk of harm and other consequences from the collection, use or disclosure.
- April 2019: Report from the OPC involving the high-profile breach involving Equifax Inc., in which the OPC took a similar position on the issue of consent. Key highlights from the OPC report include the following:
- The key goal of the consent provision in PIPEDA is to “empower Canadians to make choices concerning who has their personal information and why”.
- The transfer of personal information to Equifax Canada’s parent company in the United States constituted a disclosure to a third party.
- Given the sensitivity of the information, “more robust, express, consent” was required.
- Individuals must be provided with enough information to understand the nature, purpose and consequences of the collection, use or disclosure of their personal information to be able to consent to same.
- Providing adequate information to the individual about available choices is a key component of valid consent.
- April 2019: The OPC released its report on the Facebook/Cambridge Analytica matter, which focused on (among other things) the issue of valid and meaningful consent. Highlights from the Facebook report include the following:
- Organizations must inform individuals of their privacy practices in a clear, comprehensive and understandable manner. This information must be presented so that users have the relevant information and context to make an informed decision before or at the time when their personal information is collected, used or disclosed.
- Users must be informed of the particular personal information that may be disclosed, to whom it may be disclosed and for what specific purpose. A general and vague statement regarding potential use is not sufficient. More particularly, it will not suffice to obtain a general consent in advance for disclosure that could occurs years later to unknown third parties for unknown purposes.
- If an organization relies on a third party to obtain this consent, the organization must take reasonable measures to ensure the third party is actually obtaining meaningful consent.
- It is important to note that in response to a refusal by Facebook to implement the recommended changes, the OPC has announced its plans to take Facebook to court to seek an order to force the company to change its privacy practices.
This sequence of events takes place against the backdrop of the consultation by the OPC on the issue of whether consent should be required for transfers of personal information for processing. This consultation, first announced in April 2019 and updated in June 2019, focuses on how the OPC's guidelines on consent may need to be updated from their previously stated position (dating back as early as 2009).
This trend is not limited to the OPC; Canada's newly appointed Competition Commissioner has commented that the Competition Bureau of Canada is considering pursuing app makers who use personal data without clear consent and that the $10-million cap on fines for deceptive practices may not be appropriate for these kind of privacy violations.
The potential involvement of the Competition Commissioner in the regulation of matters involving information, data, data misuse, and collections of personal information is not surprising, particularly given the intense scrutiny of privacy violations by the United States Federal Trade Commission under its parallel authority to regulate unfair and deceptive practices.
This recent activity demonstrates an increasing focus on the issue of consent and that consent has become a central theme in moving Canada toward a more modern approach to privacy.
Accordingly, organizations are well advised to review their existing consent practices in light of this evolving trend and consider what measures may be required to meet this maturing standard. Paying attention to regulatory expectations is not only important to stay onside with your obligations; it is also critical to litigation risk management.