Legal Grounds for Data Processing

Under PIPEDA (and similar provincial statutes) the central legal ground for processing of personal information is consent, some of the key requirements of which are set out above.  Unlike jurisdictions in the EU, there are no overarching alternative grounds, like “legitimate interests” or “contractual necessity”, on which businesses can rely to process personal information without obtaining consent, although the law does provide for some explicit exceptions that fit broadly within some of the other grounds for processing contained in the General Data Protection Regulation (GDPR).

 

In addition to the requirements respecting consent that are listed above (under “Definitions – Consent”), PIPEDA includes the following requirements:

  • Consent must generally be obtained at or before the time of collection of personal information.
  • Personal information can only be used for the purposes for which it was collected (or as required or permitted by law), otherwise additional consent must be obtained.
  • Individuals have the right to withdraw consent at any time, subject to legal and contractual restrictions.

 

PIPEDA includes several exceptions to the requirement to obtain consent, although the majority of these are unlikely to apply to marketing activities.  Some of the exceptions would broadly fit within some of the authorized legal ground under the GDPR, for example:

  • like the “legal obligations” ground in the EU law, consent is not required to process personal information where required by law.
  • like the EU’s “vital interests” ground, the Canadian law allows for processing of personal information without consent where it is clearly in the interests of the individual and consent cannot be obtained in a timely way, and for disclosure to persons who need the information because of an emergency that threatens the life, health or security of the individual in question.

Of the exceptions likely to be most relevant to marketers, PIPEDA includes the following provisions:

  • “Business contact information” (e.g., name, business title, postal and email address, telephone number) may be collected, used and disclosed without consent where it is used or disclosed solely for the purpose of communicating with the individual in question in relation their employment, business or profession.
  • Information that is “publicly available” may be collected and processed without consent; however, this exception only applies to narrow categories of information set out in regulations, not to personal information that is generally in the public domain. Examples of “publicly available” personal information that may be processed without consent include:
    • personal information available in a telephone directory (where a subscriber can refuse to have their information included in the directory);
    • personal information in a professional or business directory, listing or notice that is available to the public, provided that the processing of the information relates directly to the purpose for which the information appears in the directory; and
    • personal information that appears in a publication (including a magazine, book or newspaper) in printed or electronic form, where the individual has provided the information to the publication.

 

Related to the narrow exception for publicly available information, PIPEDA effectively prohibits an organization from “address harvesting” (i.e., the use of a crawler to search for and collect electronic addresses, or the use of addresses collected in this way), since the law provides that no exceptions in the law apply to such activities, meaning consent would be required from each address owner.

As an over-arching requirement, PIPEDA requires that an organization can collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, paving the way for what might be termed “illegal grounds for processing”.   Even if an organization does obtain consent, if the purposes are found to be “inappropriate”, the organization would be violating the law. 

 

In 2018, the Office of the Privacy Commissioner of Canada issued Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), which sets out a series of “no-go zones” where processing of personal information would be considered inappropriate from the perspective of a reasonable person.  These “no-go zones” include:

  • collection, use or disclosure that is otherwise unlawful (i.e., contrary to statute, regulatory decision, court order, etc.);
  • profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law based on data analytics or any other type of profiling or categorization. Prohibited grounds of discrimination in federal human rights law are race, national or ethnic origin, colour, religion, age, sex, sexual orientation, gender identity or expression, marital status, family status, genetic characteristics, disability and conviction for an offence for which a pardon had been granted or a record suspension has been ordered.
  • processing for purposes that are known or likely to cause significant harm to the individual, such as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on an individual’s credit record and damage to or loss of property.
  • publishing personal information with the intended purpose of charging individuals for its removal.
  • requiring passwords to social media accounts for the purpose of employee screening.
  • surveillance by an organization through audio or video functionality of the individual’s own device.

Please visit: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gd_53_201805/