The End No Longer Justifies the Means: Bill C-27’s new Constraints on Processing Personal Information
On June 16, 2022, the Canadian Minister of Innovation, Science and Industry introduced Bill C-27, which will enact the Consumer Privacy Protection Act (“CPPA”) and repeal Part 1 of the current Personal Information Protection and Electronic Documents Act (“PIPEDA”). This article is part of our Bill C-27 Blog Series, which provides a comprehensive overview of the privacy reform launched by the Canadian government.
Bill C-27’s predecessor, Bill C-11, was first read on November 17, 2020, and died on the order paper following the announcement of the federal election in September 2020. For more information on the changes to PIPEDA that Bill C-11 attempted to introduce, we invite you to read our earlier article.
This article is about a distinction between Bill C-11 and Bill C-27 that looks subtle, at first instance, but may have a significant impact.
What Has Changed Since the 2020 Bill C-11?
As with PIPEDA (subsection 5(3)), Bill C-11’s subsection 12(1) provided that organizations may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Organizations were therefore also required to document their purposes (subsections 12(3) and (4)), and processing of personal information had to be necessary for those purposes.
The new Bill C-27 adds another requirement: organizations may collect, use and disclose personal information only in a manner and for the purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is otherwise required under the CPPA.
12 (1) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
12 (1) An organization may collect, use or disclose personal information only in a manner and for purposes that a reasonable person would consider appropriate in the circumstances, whether or not consent is required under this Act.
The Purposes Justifying the Collection, Use or Disclosure of Personal Information
The “purposes” requirement forces organizations to justify why they are collecting, using or disclosing personal information. Organizations will be expected to determine the “purpose” behind each of their practices relating to personal information and decide whether each purpose meets the “reasonable person test”. Subsection 12(3) adds that organizations will need to determine and record the “purposes” before or at the time of the collection of personal information.
Each purpose determined by an organization will then affect the type of personal information they can collect. As with its predecessor, Bill C-27 provides that organizations may collect only the personal information that is necessary for the predetermined purposes. This requirement mirrors PIPEDA’s “Limiting Collection” principle (Clause 4.2.2 of Schedule I).
For the “reasonable person” test, organizations need to assess whether a reasonable person would deem their purposes appropriate for collecting, using and disclosing personal information. As under PIPEDA, the test will balance an individual’s right to privacy against an organization’s commercial need to collect, use or disclose personal information. Given the consistency with PIPEDA, we expect that the Privacy Commissioner of Canada’s Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) will continue to apply.
The Manner in which Personal Information is Collected, Used or Disclosed
Bill C-27 adds a new requirement to those in Bill C-11 by requiring that organizations also justify the reasonableness of the manner in which they are collecting, using and disclosing personal information. It is not entirely clear what Parliament is trying to capture by addressing the manner of collection, use or disclosure.
One theory is that Parliament is trying to address so-called “dark patterns”. However, as we discussed in a recent blog post, section 16 already appears to address dark patterns by prohibiting “false or misleading information or using deceptive or misleading practices” to obtain consent.
A second theory is that it is simply a restatement of PIPEDA’s “Limiting Collection” principle, which provides that “information must be collected by fair and lawful means.” This topic has not received much attention since PIPEDA came into force. Rather, the Commissioner has relied on subsection 5(3), in particular in the guidance discussed above. However, the Commissioner put a high threshold on what was unreasonable, limiting it to collections, uses and disclosure of personal information that was otherwise illegal, discriminatory, extortive or deeply invasive (such as requiring an employee to provide their social media account passwords for screening or highly-invasive surveillance using personal devices).
A final theory is that limiting the “manner” of collection is seeking to regulate certain means of collection. For example, Bill C-27 permits the collection of personal information without consent for “safety of a product or service that the organization provides”. While it might be appropriate to collect information about medical conditions before allowing an individual to engage in high-risk activities, it may not be reasonable to collect that information through surreptitious medical tests.
What is clear is that the change to subsection 12(1) is not clear. In our view, Parliament should amend Bill C-27 to explain what they are intending to address by applying the reasonableness threshold to the manner of collection, use and disclosure.
Assessing whether the Purposes and Manner are Appropriate
Subsection 12(2) also provides the factors that must be taken into account in determining whether the purposes and manner are appropriate:
(a) the sensitivity of the personal information;
(b) whether the purposes represent legitimate business needs of the organization;
(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of the measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Appropriateness is likely to depend on the circumstances, including the nature of the personal information at stake. It will also depend on the type of commercial activities that the organization conducts. Where less intrusive alternatives are available, an organization that chooses to maintain its practices will need to justify why it has not opted for said alternative means.
That said, in light of these factors, which seem inspired by PIPEDA case law, we do expect that the Commissioner’s guidance discussed above will continue to apply.
Purposes and Manner Must Be Appropriate, Regardless of Consent
Bill C-27 states what was implicit under PIPEDA: obtaining prior consent is not sufficient to demonstrate compliance. Subsection 12(1) specifies that the “reasonable person” test must be met whether or not consent is required by another section. As such, organizations will not be able to rely on the fact they have obtained an individual’s consent to justify their collection, use or disclosure of personal information. Obtaining consent would nonetheless likely be a factor favourable to an organization’s practice and that could be considered when balancing the various interests at play.
Finally, although compliance with subsection 12(1) will be a prerequisite to any organization’s collection, use and disclosure of personal information, Bill C-27 also provides more specific requirements that can additionally apply to this collection, use and disclosure, which is why organizations will need to have a comprehensive understanding of the CPPA, should Bill C-27 be adopted into law.
In sum, Bill C-27 goes further than its predecessor and the current PIPEDA by adding that the manner in which personal information is collected, used or disclosed by organizations must be reasonable. This addition is in line with the legislative objectives behind Bill C-27, which focus on individuals’ control over their personal information. That being said, the appropriate manner test might prove difficult to assess given the lack of clarity and the lack of explanation for the change from Bill C-11.
Get the latest posts from this blog by subscribing below or contact our Cyber/Data Groupfor assistance.