Commentary of the Office of the Privacy Commissioner on feedback received through the 2017 consent guidance consultation

On September 28, 2017, the Office of the Privacy Commissioner of Canada (OPC) posted two draft guidance documents for comment:

  • Draft guidelines: Obtaining meaningful online consent (the “Consent guidelines”), and
  • Draft guidance: Inappropriate data practices—Interpretation and application of subsection 5(3) (the “5(3) guidance”).

During the comment period, a total of 13 submissions were received:

  • two from individuals,
  • one from a private-sector organization, and
  • ten from associations representing private-sector organizations.

With this commentary document, we intend to describe the themes of the comments received,Footnote 1 as well as discuss why certain changes were—or were not—made to the documents in question.

Although there is overlap between the comments on each paper, we will consider the Consent guidelines and the 5(3) guidance in turn.

On this page

Feedback on the Draft guidelines for obtaining meaningful consent

Theme 1: Binding nature of guidance (“must” vs. “should”)

In general, submissions appreciated the OPC’s intention to provide additional information and guidance around obtaining meaningful consent. However, they were concerned that in some places the language was “binding in tone” in ways that suggested the document was introducing new legal standards and/or new obligations.

OPC response

The OPC cannot, of course, use guidance documents to establish new legal standards. However, we think our role as a regulator includes giving guidance that clarifies or breathes life into the Personal Information Protection and Electronic Documents Act (PIPEDA) requirements and sets expectations as to how PIPEDA should generally be interpreted and applied, subject to individual determinations in the course of investigations and eventually court decisions. As a technologically neutral and principles based statute, PIPEDA is by nature broad in its formulation. While this has important virtues, it does not bring an adequate level of certainty to individuals and organizations. Guidance has a role in bringing a level of specificity to generally expected behaviour.

In the Consent guidance, we have used both “must” (to signify a requirement arising from a legal obligation) and “should” (to signify a best practice). Following the comments received, we reviewed and edited the guidance to ensure that any practice described with a “must” clearly and directly flows from a legal obligation, whereas those practices that represent one of many potential ways of meeting an obligation (such as the use of “layering”) are described with “should”. For instance, the guidance that key elements must be emphasized in privacy policies is a requirement that flows directly from the legal obligation to obtain meaningful consent. However, the suggestion that privacy policies use layering as a method to balance completeness and ease of understanding is a best practice.

Theme 2: Form of consent

Submissions raised concerns that, as initially drafted, Principle 3 and the “Form of consent” section combine to create an express consent regime, departing from previous OPC positions and court findings which recognize that implied consent may be suitable in some circumstances.

OPC response

It was not our intention to create a universal requirement for express consent. We have re-drafted Principle 3 to indicate that the principle is intended to communicate that consent cannot be required for any collection, use or disclosure of personal information that is not integral to the provision of the product or service; clearly explained and readily accessible choices must be made available.

We do note, however, that the requirement to provide choices is an obligation which can be found in legislation, and is not newly introduced by this guidance.

Beyond this, while some submissions raised comments about the “Form of consent” section (and in particular its understanding of the RBC v. Trang Supreme Court decision), the OPC is of the view that it is an accurate reflection of existing caselaw, enhanced with a discussion of the impacts of risks of harm on the form of consent.

Theme 3: Harms

As the Consent guidelines makes the first explicit mention of disclosing “Risks of harm” as part of privacy communications, as well as integrating risk of harm into organizations’ determinations with respect to the appropriate form of consent, it is unsurprising that many submissions included comments on it.

Submissions on “harm” can broadly be separated into two groups: uncertainty about what would need to be disclosed, and (in smaller numbers) objection to the need to make such disclosures.

With respect to the former, along with a general uncertainty about what should be disclosed, commenters asked about likelihood, foreseeability, and/or severity thresholds that would have to be met to warrant disclosure of a harm; whether disclosable harms limited to those which are in the organization’s direct control (as opposed to, for instance, caused by the behavior of other users); and what definition of “harmful” should be used, given the subjective and person-specific nature of “harm.”

With respect to the general objection to disclosing harms, some questioned whether the disclosure of all potential harms would lead to overly-long communications, and one organization suggested that such disclosures would create an unacceptable level of civil liability.

OPC response

The OPC considers that the requirement to disclose harms flows from the definition of “valid consent” introduced to PIPEDA by the Digital Privacy Act. This definition requires that, for consent to be valid, it must be reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. Potential harm would seem, to us, to fall into the category of “consequences” which should be understood by the individual.

Beyond this, we believe that the concept of harm plays an important and increasingly recognized role within privacy protection. Privacy is a human right, and its protection goes beyond the prevention of “harm”—but this does not mean that potential harms are not a key consideration for individuals. In fact, a number of stakeholders heard during consultations we held before issuing these guidelines specifically asked that harm be added as a consideration for informed consent and the definition of no-go zones. Moreover, harm plays an important role in privacy protection in jurisdictions such as the United States.

With respect to what harms should be disclosed (including thresholds for disclosure), we note that we are referring to those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful residual risk of significant harm, the OPC is of the view that it is a potential consequence about which individuals must be notified. Applicable thresholds (meaningful risk and significant harm) are defined in the guidelines.

Other key changes

Based on submissions received, roundtable discussions, and consultation with provincial colleagues, the following additional key changes have also been made:

  • It is intended that these guidelines be of general application, regardless of the channel through which consent is being obtained. As such, we have removed reference to obtaining consent “online.”
  • Principle 7 (formerly Principle 6) has been revised to focus on demonstrating compliance with applicable legislation, rather than demonstrating effectiveness of the consent process.

Feedback on the Draft guidance on inappropriate data practices—Interpretation and application of subsection 5(3)

Overall, the “interpretation” section of the guidance document—describing subsection 5(3) and its evaluative factors—was well received; no amendments were suggested. However, comments were more divided on the “application” section setting out no-go zones. A number of commenters suggested that no-go zones are too inflexible and do not respect the importance of the contextual approach described in the opening of the paper. Others, though, believed that the no-go zones identified were appropriate.

Specific comments were raised about four of the six listed no-go zones. Broadly, a number of these comments suggested that certain of the no-go zones were unnecessary, as the described collection, use or disclosure is already prohibited by other laws and regulations. Others suggested specific amendments or concerns, such as that No-Go Zone 2 (Profiling or categorization that leads to unfair, unethical or discriminatory treatment) should recognize that there are certain exceptions built into human rights law which allow distinctions that would normally constitute discrimination to be made between individuals in limited circumstances (e.g., bona fide occupational requirements).

OPC response

We continue to be of the view that there is value in providing specific examples of potential inappropriate practices—both for organizations to know when they may be approaching an area that is offside, and for consumers to know that there are certain practices that are generally prohibited.

We are also of the view that this document will not inappropriately restrict the OPC’s ability to use discretion in its application of subsection 5(3) to specific fact scenarios. The no-go zones listed here are strongly indicative of the OPC’s interpretation of subsection 5(3), but not necessarily determinative. However, we have added language to clarify this.

With respect to the specific comments on the no-go zones—and in particular, the comment with respect to human rights law—we have made amendments as necessary.

Related content

Date modified: