Highly Sensitive Personal Information – Obtaining Consent Directly

Highly Sensitive Personal Information – Obtaining Consent Directly

PIPEDA Findings # 2024-001, released on February 29, 2024, involving MindGeek’s consent confirmation processes provides an important reminder of the importance of ensuring consent of a data subject before their sensitive information will be disclosed. 

MindGeek, rebranded to Aylo in August 2023, is a global technology company that  owns, operates and provides services to many of the world’s most popular pornographic websites. Originally scheduled for release in May 2023, the investigation report was delayed as Aylo pursued legal proceedings against the Office of the Privacy Commissioner of Canada (OPC). This included seeking an order barring release of the report pending the completion of its litigation. The report was released end of February  as Aylo was unsuccessful in that attempt. 

In 2015, the complainant’s ex-boyfriend uploaded an intimate video depicting the complainant to various MindGeek websites, without her knowledge and consent. Pursuant to its normal practice, MindGeek did not seek the complainant’s consent to collect, use and disclose her intimate images, and instead relied exclusively on the uploader, her ex-boyfriend, to attest that she had consented to the video being distributed on MindGeek’s websites. 

The (OPC) had previously concluded that organizations may rely, in appropriate circumstances, on consent obtained from an individual via a third party. However, this decision clarified that organizations can only do so to the extent that they have implemented reasonable measures to ensure that such consent is valid and meaningful. 

At the time of the relevant complaint, MindGeek had very limited measures in place to ensure that consent represented by the uploader was valid. MindGeek also relied on human moderators to scan content for compliance with Terms of Service, including that all individuals depicted in the content had consented to its upload. However, the OPC stated moderation is not an appropriate tool for determining whether an individual has consented to the collection, use and disclosure of their personal information by MindGeek, as it involved merely ensuring an absence of signs of non-consensual sexual activity and/or recording. Clearly, an individual may have consented to the sexual activity and its recording without agreeing to have the video uploaded to a MindGeek website. The decision states: “This consent model could only result in devastating consequences for thousands of individuals whose intimated images were shared online without their knowledge and consent”. 

This decision also includes a discussion of many other privacy concerns, such as using identifiable information in the video’s title and tags, but these topics are beyond the scope of this blog post.  

Given consent is a fundamental principle of privacy, organizations can learn the following from this decision: Consent must be obtained directly from individuals when:  

  1. the personal information in question is highly sensitive and there is a significant risk of harm associated with its non-consensual disclosure;
  2. and third parties being relied upon for consent can be motivated to misrepresent that they have obtained each individual’s consent (this is often the case for image-based abuse). 

The OPC concluded that MindGeek’s 2015 process contravened section 6.1 as well as Principle 4.3 of Schedule 1 of PIPEDA by failing to obtain meaningful express consent from the complainant, and more generally, from each individual depicted in content uploaded to its websites. The OPC reminds businesses in this decision that, as outlined in the OPC’s Guidelines for Obtaining Meaningful Consent, when obtaining such consent, the following must be clearly communicated:  

  1. what personal information is being collected, 
  2. with which parties personal information is being shared, 
  3. for what purposes personal information is being collected, used or disclosed, and 
  4. any other consequences associated with the upload of content to its websites, including but not limited to the potential sharing of the content across the internet resulting in a loss of control over the uploaded content. 

Contact us if you need help with your consent practices.

Join us for the CIPP/C training course where we discuss foundational CANADIAN privacy decisions from the privacy regulators and the courts!

Registration deadline is April 30th!