Important New Shift in Canadian Privacy Law: Legitimate Interest Exception to Consent

Articles

By Jeff Holowaychuk and Abigail Choi

The proposed Consumer Privacy Protection Act (“CPPA”), which forms part of Bill C-27, represents a significant overhaul of Canadian privacy laws. While Canada’s current privacy laws are primarily consent-based, the CPPA proposes to introduce new exceptions to the requirement to obtain consent for the collection, use and disclosure of personal information, further aligning Canada’s federal privacy regime with recent international developments.

One of the more significant changes brought about by the CPPA is the introduction of an exception to consent based on an organization’s legitimate interest. This proposed change will allow organizations to collect or use an individual’s personal information, without their knowledge or consent, for an activity in which the organization has a legitimate interest, subject to certain requirements.

How the new legitimate interest exception will apply in Canada, if adopted, remains to be seen. In the meantime, we can look to privacy laws in the EU/UK and Singapore, which have both adopted the legitimate interest concept, to provide some insight into how this exception may operate in Canada.

How does Canada’s proposed Legitimate Interest exception compare to other jurisdictions?

The table below sets out the legitimate interest sections from the EU/UK and Singapore privacy laws for comparison purposes against the proposed CPPA.

Consumer Privacy Protection Act Singapore’s Personal Data Protection Act (“PDPA”) EU/UK General Data Protection Regulation (“GDPR”)
18(3) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of an activity in which the organization has a legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use and:

(a) a reasonable person would expect the collection or use for such an activity; and

(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

(4) Prior to collecting or using personal information under subsection (3), the organization must:

(a) identify any potential adverse effect on the individual that is likely to result from the collection or use;

(b) identify and take reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and

(c) comply with any prescribed requirements.

 

17(1) An organization may —

(a) collect personal data about an individual, without the individual’s consent or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule;

(b) use personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or

(c) disclose personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule.

First Schedule–Part 3 (Legitimate Interests)

1(1) Subject to sub‑paragraphs (2), (3) and (4):

(a) the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organization or another person; and

(b) the legitimate interests of the organization or other person outweigh any adverse effect on the individual.

(2) For the purposes of sub‑paragraph (1), the organization must:

(a) conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub‑paragraph (1) is satisfied; and

(b) provide the individual with reasonable access to information about the organization’s collection, use or disclosure of personal data (as the case may be) in accordance with sub‑paragraph (1).

(3) The organization must, in respect of the assessment mentioned in sub‑paragraph (2)(a):

(a) identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual;

(b) identify and implement reasonable measures;

(i)   to eliminate the adverse effect;

(ii) to reduce the likelihood that the adverse effect will occur; or

(iii) to mitigate the adverse effect; and

(c) comply with any other prescribed requirements.

6(1) Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.]

 

When viewed side-by-side, it is apparent that the CPPA drafters borrowed heavily from Singapore’s PDPA to import the concept of legitimate interest into Canadian privacy law, though the influence of GDPR on global privacy laws more generally cannot be understated.  Accordingly, the following sections provide an overview of how both the GDPR and PDPA approach the legitimate interest analysis.

How is the Legitimate Interest Analysis conducted under GDPR?

Under GDPR, the legitimate interests of an organization provide a stand-alone legal basis for processing personal information, rather than being an exception to consent. The 3 part test developed under GDPR for an organization to process personal information based on its legitimate interests requires the organization to conduct the following analysis:

  1. Purpose – Does the organization have a legitimate interest for the processing?

The first step of the legitimate interest test is to identify the legitimate interest for which the organization will process personal information. This can include processing to support essential business functions or processing for non-mandatory business purposes. Some considerations for this step include:

  • the reason(s) to process the personal information;
  • whether there are any public or third-party benefits from the processing and the importance of those benefits;
  • the impact of not processing the personal information; and
  • compliance with other relevant laws and ethical considerations.

Based on Guidelines issued by the European Data Protection Board (“EDPB”), an organization’s legitimate interests may be legal, economic or non-material, as long as that interest is a real, present issue (as opposed to being fictional or speculative). Recitals 47 to 50 of the GDPR provide examples of activities that could constitute a legitimate interest, including:

  • preventing fraud;
  • ensuring network and information security;
  • reporting possible criminal acts or threats to public security;
  • processing employee or client data;
  • direct marketing; and
  • facilitating administrative transfers within a group of companies.

Of particular importance for businesses, the EDPB recently confirmed that a purely commercial interest may qualify as a legitimate interest.

  1. Necessity – Is the processing necessary for the legitimate interest?

The second step of the test requires organizations to consider whether the processing is necessary for the legitimate interest identified in the first step of the test. Key considerations for this step include whether:

  • the processing will actually assist in achieving the stated purpose;
  • there is alternate way to achieve the purpose; and
  • there is a less intrusive way to achieve the purpose.
  1. Balancing – Is the legitimate interest overridden by the fundamental rights and freedoms of the individual?

The final step of the test involves balancing the organization’s legitimate interest against the fundamental rights and freedoms of individuals. Some key factors to consider as part of the balancing test include:

  • the nature and sensitivity of the personal information to be processed;
  • the reasonable expectations of the individual and the nature of the organization’s interests; and
  • the impact on the individual and whether there are safeguards that can mitigate any negative impact.

After conducting the above analysis, if an organization decides to rely on its legitimate interests for processing, it must inform individuals of that fact when collecting their personal information.

EU supervisory authorities have investigated a number of organizations for their reliance on the legitimate interests provision. In some of those instances, the supervisory authority has ordered the organization to cease processing personal information on the basis of its identified legitimate interest.  For example:

  • Following thefts at a worksite, a Slovenian employer installed GPS trackers in company vehicles and relied on its legitimate interest to protect its vehicles, equipment and documentation from theft. While the Slovenian supervisory authority found that safety of property could be a legitimate interest, the constant collection of personal information by the GPS trackers was not appropriate or necessary to achieve that legitimate interest. In particular, the supervisory authority found that the constant GPS surveillance, including when the vehicle and equipment were under the direct supervision of employees, was disproportionate when less intrusive measures were available, such as a GPS tracker that could be disabled by the driver when the vehicle was in use.
  • A Spanish hotel scanned the photo page of guest passports during check-in and used those photos to verify the identity of guests when they used their hotel keycard to access hotel services (e.g. the bar and canteen). The hotel relied on its legitimate interest to prevent fraudulent use of hotel services and to protect guests from serious financial harm as the basis for this processing. However, the Spanish supervisory authority found that there were less intrusive ways to verify the identity of keycard users and that the risks of data breaches or misuse of passport information by hotel employees outweighed the hotel’s identified legitimate interest.

How is the Legitimate Interest Analysis conducted under the PDPA?

The PDPA sets out a number of specific exceptions to consent that would be considered legitimate interests. These include collection, use or disclosure of personal information for evaluative purposes, to obtain or provide legal services and to enter into, manage or terminate an employment relationship.

However, the PDPA also includes a general legitimate interest exception that may apply to a broad range of circumstances and purposes, similar to the legitimate interest provision in GDPR. Organizations that wish to rely on this general legitimate interest exception are required to conduct an assessment to determine whether the legitimate interest of the organization outweighs any adverse effect on individuals.

Based on the terms of the PDPA, associated Regulations and the Personal Data Protection Commission’s (“PDPC”) Advisory Guidelines (“Guidelines”), this assessment requires organizations to conduct the following analysis:

  1. Define the legitimate interest

The first step of the assessment requires the organization to identify and describe the legitimate interest (e.g. a situation or purpose) that justifies the collection, use or disclosure of personal information without consent. This stage of the assessment should also identify:

  • the objectives or purpose for collecting, using or disclosing the personal information;
  • the types and volume of personal information that will be collected, used or disclosed;
  • how that personal information will be collected, used or disclosed; and
  • the benefits arising from the collection, use or disclosure of personal information relating to the legitimate interest and expected beneficiaries.

When identifying the benefits noted above, the Guidelines instruct organizations to focus on direct benefits, though they may consider whether there could be any negative impacts on individuals or others if the organization is not able to rely on the exception. Further, the Guidelines state that any identified benefits must be real and present, rather than speculative.

Examples of potential direct benefits set out in the Guidelines include the security of business assets and individuals, prevention of fraud and detecting the misuse of services.

  1. Assess the likelihood of adverse effects

The next step in the assessment is to identify any adverse effect that the collection, use or disclosure is likely to have on individuals. The PDPC considers “adverse effect” to generally include physical harm, harassment, serious alarm or distress to an individual. However, certain instances of differential treatment of individuals, such as differences in insurance premiums or loan refusals based on a poor credit score, will not constitute an adverse effect.

The Guidelines state that organizations should consider the following factors when determining whether there are any adverse effects on individuals:

  • the impact of the collection, use or disclosure of personal information on individuals, which includes an assessment of the likelihood and severity of all reasonably foreseeable risks and adverse effects to individuals;
  • the nature and type of personal information and whether the individuals belong to a vulnerable segment of the population;
  • the extent of the collection, use or disclosure of personal information and how it will be processed and protected;
  • the reasonableness of the purpose for collection, use or disclosure of personal information; and
  • if applicable, whether any predictions or decisions about individuals that may arise from the collection, use or disclosure of the personal information are likely to cause physical harm, harassment, serious alarm or distress to those individuals.

In addition to documenting any adverse effects, organizations are expected to identify:

  • any reasonable measures that can or will be implemented to eliminate, reduce the likelihood of or mitigate those adverse impacts; and
  • any residual adverse effects on individuals after implementing those measures.
  1. Consider whether the legitimate interest outweighs the residual adverse effects

If the organization identifies any residual adverse effect on individuals after implementing preventative measures, the final step of the assessment requires the organization to conduct a balancing test to determine whether the legitimate interest outweighs those residual adverse effects, together with the reasons for the organization’s conclusion that the legitimate interest outweighs any adverse effect on the individual.

If the organization decides to rely on the legitimate interest exception after completing the above assessment, it must disclose that reliance to individuals, such as through a publicly accessible privacy policy, signage or other means. This disclosure obligation does not require the organization to make its legitimate interest assessment publicly available.

In March of this year, the PDPC issued its first decision on the application of the legitimate interest exception in the PDPA. In that decision, the PDPC confirmed that the collection of photographs of identification documents by RedMart, an online supermarket, from suppliers who delivered goods and produce to its warehouses was permitted under the legitimate interest exception. The PDPC found that:

  • RedMart’s collection of the photographs served the legitimate interest of deterring and investigating potential food security incidents which could harm the public and its reputation;
  • while the collection of the photos could expose individuals to the risk of unauthorized use or disclosure of personal information, RedMart implemented measures to mitigate those risks, including by limiting collection, restricting access to the photos and establishing a limited photo retention policy; and
  • the legitimate interest of deterring food security incidents outweighed the residual risks posed to the visitors in light of the controls that RedMart put in place to protect the photos.

What can we expect in Canada?

It is currently uncertain how the legitimate interest exception, if adopted, will be applied in Canada. Generally, EU/UK privacy legislation is highly influential upon Canadian privacy law. However, given that the legitimate interest provision in the CPPA mirrors that of Singapore’s PDPA, it is likely that Canada’s approach will align more closely with the PDPA.

That said, the CPPA adds a further layer to the legitimate interest exception by:

  • limiting its application to circumstances where a reasonable person would expect the collection or use of their personal information in relation to the organization’s activity; and
  • prohibiting reliance on the legitimate interest exception for the purpose of influencing an individual’s behaviour or decisions.

As a result of those additions, even if the legitimate interest analysis under the CPPA follows the lead of its Singaporean or European predecessors, it will have distinctly Canadian flavour.

If you have any questions about the proposed legitimate interest exception in the CPPA, contact a member of our Privacy team.