Not infrequently, customers may resort to consumer affairs columnists and other third parties, such as consumer advocacy groups, in order to resolve issues that they are having. In these circumstances, is there implied consent for the vendor of the goods or services to disclose personal information to the third party advocate?
This was the issue in an October 31, 2014 Report of Findings by the Office of the Privacy Commissioner of Canada (OPC) regarding an investigation into the allegations that an Internet Service Provider (ISP) improperly disclosed personal information to a newspaper columnist. The OPC agreed with the ISP that there was reason to believe implied consent existed, and that the ISP's response was appropriate, in the circumstances.
Background on the case
After failing to resolve a longstanding internet service dispute with his ISP, a consumer e-mailed a newspaper columnist with instructions to resolve the dispute with the ISP. The newspaper columnist is known by the consumer and public as a consumer advocate who intervenes and tries to resolve problems consumers face with organizations.
The columnist forwarded the consumer's e-mail to the CEO of the ISP seeking a response to the complaint. The ISP responded to the columnist, who then forwarded the response to the consumer. The consumer objected to the ISP sharing his personal information to the columnist without his consent. The ISP argued they believed they had the consumer's implied consent, the information they disclosed to the columnist was not sensitive and it was relevant to defending itself against the consumer's allegations. The OPC agreed with the ISP.
Key points for organizations
1. Does an organization require express or implied consent?
Two types of consent exist under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) – express and implied. In general, express consent should be sought, especially when the personal information is considered sensitive. When information is not sensitive, implied consent is generally considered appropriate.
In this case, the OPC found the ISP disclosed non-sensitive information about the history of the consumer's dispute with the ISP.
2. In some circumstances, organizations can reasonably assume
implied consent from the
individual's actions or inactions.
An organization should consider the reasonable expectations of the individual when obtaining consent. Consider whether the individual has certain knowledge or understanding of the information and context to assist in determining their expectations, and subsequently consent.Implied consent is appropriate in situations where the intended use or disclosure of personal information is clear from the context.
Given that the consumer sought assistance in resolving his dispute with the ISP when he contacted the newspaper columnist, it was a reasonable expectation that his information would be disclosed in order to address the very information he put into question.
3. An organization should limit its disclosure when it relies on implied consent.
An organization does not have carte blanche under implied consent and the OPC scrutinizes the information being collected or disclosed. The ISP limited its disclosure to information only related to the consumer's allegations, in order to properly defend itself against said allegations, and to properly respond to the columnist's inquiries during a dispute resolution situation.
The information that was disclosed was entirely related to the issue that the consumer initiated.
In this case, the OPC found the ISP had a reasonable belief to rely on implied consent, and that the ISP properly limited the disclosure to personal information that was relevant to the complaint against them.
Organizations should continue to be mindful of the before, during and after around implied consent; the sensitivity of the information, the individuals reasonable expectations and actions/inactions, and limiting the collection or disclosure of information to the particular context.
For more information, visit our Privacy and Data Security blog at www.datagovernancelaw.com
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.