Canada’s Privacy Commissioner Releases Final Guidelines

The International Association of Privacy Professionals (IAPP) held their annual Canadian Privacy Symposium in Toronto in May, celebrating the 10th anniversary of the conference. The Privacy Commissioner of Canada, Daniel Therrien, has supported the conference every year of his tenure, by providing a keynote address for delegates as well as using the venue to announce the release of key documents by his Office. This year, the Office of the Privacy Commissioner of Canada (OPCC) released two final guidance documents on May 24th that are the result of international developments (the GDPR), the OPCC’s investigations, and an extensive consultations process:

I)  Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) which the OPCC will begin applying on July 1, 2018. Subsection 5(3) of PIPEDA states: “An organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider are appropriate in the circumstances”. Businesses looking for more guidance as to what is considered ‘unreasonable’ should review these guidelines to learn about the ‘no-go zones’, or inappropriate purposes as outlined by the OPCC (that may evolve over time). The following no-go zones are outlined in the guidance document:

  1. Collection, use or disclosure that is otherwise unlawful;
  2. Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
  3. Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual;
  4. Publishing personal information with the intended purpose of charging the individual for its removal;
  5. Requiring passwords to social media accounts for the purpose of employee screening; and
  6. Surveillance by an organization through audio or video functionality of the individual’s own device.The OPCC intends to periodically revisit and update the no-go zones as warranted.

II)  Guidelines for obtaining meaningful consent which the OPCC will begin applying on January 1, 2019. This document highlights seven guiding principles for meaningful consent:

  1. Emphasize key elements. The OPCC rightfully addresses the fact that complicated and lengthy privacy policies serve no practical purpose – individuals should be able to review the following key facts that may impact their privacy decisions:
    i.    What personal information is being collected;
    ii.    Who personal information is shared with;
    iii.    The purposes for which personal information is collected, used or disclosed;
    iv.    The risk of harm and other circumstances. As clarified by the OPCC, only meaningful residual risks of significant harm must be notified to individuals. We are talking about risks that fall below the balance of probabilities, or the organization shouldn’t be going ahead with the initiative, but that are more than a minimal or mere possibility. For example, the OPCC has held the position since 2009 that if personal data is going to be processed or stored in a foreign jurisdiction, there is some risk that it could be disclosed to government or law enforcement officials of that country. Individuals should be informed of this residual risk;
  2. Allow individuals to control the level of detail they get and when. This section of the guideline speaks to presenting information in a layered format or by a similar way that supports user control over the level of detail provided to them.
  3. Provide individuals with clear options to say ‘yes’ or ‘no’;
  4. Be innovative and creative with ‘just-in-time’ notices, interactive tools and customized mobile interfaces that can be used to highlight privacy issues at particular decision points in the user experience;
  5. Consider the consumer’s perspective;
  6. Make consent a dynamic and ongoing process; and
  7. Be accountable by standing ready to demonstrate compliance and that the consent process implemented is sufficiently understandable (from the general perspective of the organization’s target audience) to allow for meaningful consent.

The Canadian Approach to Privacy Rules for Business

The guidelines end with a great summary of ‘shoulds’ vs. ‘musts’ when it comes to obtaining consent. After all, they do not have the authority of statute or regulation, but are telling as to how the Commissioner will interpret ‘valid consent’ in the years to come. Valid consent is outlined in section 6.1 of PIPEDA as dependent on whether it is “reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” The Canadian model of principle-based, technology neutral legislative language has been felt to be too vague and uncertain by many organizations. However, coupled with detailed, specific guidance documents such as these, and others being planned for release by the OPCC, we achieve clarity with a sound approach in my view. Given today’s rapidly changing data flows and uses, such a flexible approach that can evolve with technological advances seems superior to prescriptive regulations such as the language of the GDPR.

For assistance with ensuring your practices line up with the new guidelines, or for assessing your GDPR compliance, contact PRIVATECH.