On May 24, Canada’s federal privacy regulator, the Office of the Privacy Commissioner, released a critical interpretation document intended to guide how companies subject to the federal private sector privacy act, the Personal Information Protection and Electronic Documents Act, will be allowed to collect, use and disclose personal information, as viewed from the perspective of the reasonable person.
The guidance on inappropriate data practices is intended to offer interpretation on s. 5(3) of PIPEDA, which requires that organizations may collect, use or disclose personal information only for purposes that a “reasonable person would consider appropriate in the circumstances.” The OPC will begin to apply the guideline on July 1, 2018.
The guidance was developed in part by the OPC based on past Canadian court decisions (such as the Federal Court decision of Turner v. Telus Communications Inc.), which established various factors to determine whether an organization’s purpose was in compliance with this subsection. These include whether the organization’s collection of the personal information represents: a legitimate need or bona-fide business interest; the degree of sensitivity of the personal information involved; whether the collection, use and disclosure of the information would be effective in meeting the organization’s need; whether there are less invasive means of achieving the same business ends at comparable cost that achieve the same benefits; and whether any loss of privacy is proportional to the benefits.
Recognizing that any evaluation of an organization’s information practices under this subsection will necessarily require both contextual analysis and a review of the particular facts, the OPC has nonetheless established six “no-go zones” of behaviour that are completely offside PIPEDA and are essentially prohibited. The current no-go zones described in the guideline are as follows:
- Collection, use of disclosure that is otherwise unlawful. Organizations that collect, use and disclose the personal information of individuals in a manner that violates other Canadian federal or provincial laws will definitely violate the “what-a-reasonable-person-would-consider-to-be-appropriate” test. So if a landlord’s operation of a bad tenant list lands it in hot water because it is effectively acting as an unlicensed credit reporting agency contrary to provincial credit reporting legislation, it’s a pretty safe bet that such data collection activity would also be in contravention of this section of PIPEDA.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law. Basically, any kind of data analytics, profiling or categorizations that result in negative inferences about individuals or groups that could lead to discrimination based on prohibited grounds contrary to human rights law is unacceptable, although the OPC recognizes that whether a result is deemed unfair will have to be assessed on a case-by-case basis. OPC is clearly concerned here about the potential of biased decision-making based on the flawed use of Big Data and the need to ensure that results from any profiling activity do not lead to unintended consequences.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual. Recognizing that individuals are willing to trade off a reasonable amount of privacy to enjoy the benefits of the “digital marketplace,” the OPC issued the caveat that it would be unreasonable for organizations to require individuals to experience “significant privacy harms” just to obtain products or services. They list such harms as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on one’s credit record and damage to or loss of property. It would have been helpful for the guideline to offer some concrete examples here to add clarity, but, unfortunately, none were actually provided.
- Publishing personal information with the intended purpose of charging individuals for its removal. It’s clear that the OPC is especially irritated by companies that make their money publishing sensitive personal information online for the primary purpose of charging individuals to have it removed (see the OPC’s detailed 2015 investigation of the practices of Globe24h, later confirmed by the Federal Court of Canada). This blackmail behaviour is definitely out of bounds and will not be tolerated.
- Requiring passwords to social media accounts for the purposes of employee screening. The Digital Privacy Act amended PIPEDA to protect the personal information of job applicants as well as employees of federal works, undertakings and businesses (such as banks, airlines and telecommunication companies). The OPC observed that many job applicants are pressured to give up their passwords to their social media accounts when requested by prospective employers or risk losing the job opportunity, even though access to some sensitive personal information contained on such sites may not be relevant or necessary for the employer’s legitimate business purposes. Following on the practices of many U.S. states that have expressly banned this practice, the OPC confirmed that requiring job applicants to give up passwords to their social media accounts for the purposes of employee screening is unacceptable.
- Surveillance by an organization through audio or video functionality of the individual’s own device. The OPC reserved some of it harshest criticism for the privacy invasive practices of some organizations that creepily track individuals through the audio or video functionality of their devices, either covertly (without an individual’s knowledge or consent) or even following so-called individual consent, particularly when the practice is grossly disproportionate to the business objectives sought to be achieved. An example of this is a rent-to-own computer company that installed spyware applications on its hardware to covertly trace missing laptop computers but instead also surreptitiously collected screenshots, keystrokes, webcam photographs and oodles of other personal information of their customers. The resultant loss of privacy from the use of such spyware was determined by the OPC to be so disproportionate as to be beyond reasonable, but the regulator did note that it may be permissible for the audio/video functionality of a device to be regularly/constantly turned on in order to provide a service if individuals are aware of this fact and the captured information is not recorded, used, disclosed or retained except for the specific purpose of providing the service.
The OPC acknowledged that the above list of no-go zones is by no means exhaustive and has committed to periodically update and revise the above list as warranted. In the meantime, the guidance does provide some welcome examples of prohibited behaviours as well as offer useful insight into the expectations of the regulator regarding this section of PIPEDA.