While consent remains at the heart of the proposed Consumer Privacy Protection Act ("CPPA") introduced in Bill C-27, which seeks to reform the Personal Information Protection and Electronic Documents Act (PIPEDA), the CPPA provides with a new exception to the requirement for consent: "legitimate interest". This new exception is reminiscent of the legal basis of the same name found in the General Data Protection Regulation("GDPR") in Europe since its entry into force in 2018. Through a brief overview of the concept in Europe, in which it has been evolving for several years, we will attempt to shed light on the anticipated ins and outs of this proposed exception to the requirement for consent in Canada.
1. In Canada: Legitimate Interest as an Exception to the Requirement for Consent
The federal government's proposed CPPA, reaffirms consent as the basis for the collection, use and disclosure of personal information under federal private sector privacy law, while also providing for two new broader-based exceptions to consent in addition to thelong list of narrower exceptions to this general rule (which are largely also present in PIPEDA). 1
One of the two new broader exceptions to consent isan exceptionwhere a legitimate interest would outweigh any potential adverse effect on the individual resulting fromthe collection or use of their personal information, 2 provided that:
a. the individual would expect the collection or use; and
b. it is not for the purposes of influencing the behaviours or decisions of such individual (e.g. for behavioural marketing purposes). 3
The use of the legitimate interest exception is however subject to the completion of a prior assessment where the organization must:
1. identify any potential adverse effect on the individual that is likely to result from the collection or use for such activity;
2. identify and document how it takes reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and
3. documents how it complies with any prescribed requirements. 4
An organization must keep records with respect to the foregoing and must, on request, provide a copy of the assessment to the Privacy Commissioner of Canada. 5 In its policies and practices, the organization must also make readily available information on how it uses the personal information and of how it applies the exceptions to the requirement to obtain an individual's consent, including a description of any activities in which it has a "legitimate interest". 6
Thus, the "legitimate interest" proposed in Bill C-27 is an alternative to consent that, in case where it is permitted, requires careful advanced documentation, as well as transparent disclosure of its use in the organization's policies. As a result, the best and most convenient practice would remain to obtain consent for the collection, use and disclosure of personal information where possible.
2. Parallel with the Legitimate Interest Legal Basis Under the GDPR
Under the GDPR, and contrary to Canadian privacy laws which are firmly consent-based, several legal bases existfor the processing of personal information as set out inarticle 6 of the GDPR:
6(1). Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. [...]
If the legitimate interestlegal basis is the last one on the list provided by article 6, it does not mean that it is less important than the others or that it is an exception to a general rule. On the contrary, it is one of the possible bases for the processing, like consent. There is no hierarchy between the legitimate interest and consent under the GDPR. 7
Indeed, according to the European Data Protection Board ("EDPB"):
[...] no specific hierarchy is made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation. 8
In order to rely on the legitimate interest legal basis, the controller must first perform a three-step test to recognize that:
1. the pursuit of the interest by the controller or by the third party or parties to whom the personal information is disclosed is "legitimate" (purpose test);
2. the processing of personal information is necessary for the achievement of the legitimate interest pursued (necessity test); and
3. the controller's legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (balancing test)
This test, generally referred to as the Legitimate Interest Assessment ("LIA"), is not expressly mentioned in Article 6 of the GDPR. That being said, organizations in Europe can rely on the guidance and templates provided by the United Kingdom (UK) Information Commissioner's Office ("ICO") to conduct their LIA in Europe, which details the LIA as reproduced above. 9
Contrary to the CPPA, which refers to "potential adverse effect", the GDPR refers to "the interests or fundamental rights and freedoms of the data subject". Pursuant to the GDPR, in order to assess whether the legitimate interest is overridden by the fundamental rights and freedoms of the individuals (balancing test), the controller shall take into account the reasonable expectations of data subjects (individuals)based on their relationship with the controller. Indeed, according to recital 47 of the GDPR:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. [...].
As mentioned, the assessment above must be documented. 10 The organization must also take appropriate measures to provide information regarding the reliance on a legitimate interest to individuals. 11
In short, the Canadian and European tests both include a balancing test of the legitimate interest of the organization against the interests or fundamental rights and freedoms of the data subject in Europe or potential adverse effects on the individual in Canada. To date, the question arises as how to interpret "potential adverse effect", since thisexpression seems to be broad, but we do not expect that it would be more permissive than the GDPR. The criteria used in Europe could serve as inspiration in Canada if the text of Bill C-27 was adopted as is, pending Canadian documentation similar to that provided by the ICO which would certainly be welcomed by the industry.
The introduction of the notion of "legitimate interest" in Canada is a breath of fresh air in the world of privacy, which has long called for uniformity of the legal concepts and rules in the context of frequent inter-jurisdictional transfers of personal information. In the absence of more guidance on the concept of legitimate interestintroduced in Bill C-27,the criteria and documentation used on the other side of the Atlantic could be useful to organizations that would besubject to the proposed CPPA in Canada.
However, in order to avoid organizations taking refuge in this exception as soon as consent is difficult to obtain, the Canadian government will have to ensure that it provides tools and procedures to crystalizethe concept, its assessment and application criteria that go beyond the threshold set out in the CPPA, similar to the initiatives of the ICO in the UK. In this way, it can avoid repeating the confusion that has arisen surrounding legitimate interest in Europe. 12
1 CPPA, s. 15.
2 The exception therefore does not apply to the communication of personal information.
3 CPPA, s. 18(3).
4 CPPA, s. 18(4)
5 CPPA, s. 18(5).
6 CPPA, s. 62(2)(b).
7 Individual's rights shall still be respected. That being said, if the controller relies on the legitimate interest legal basis under the GDPR, the individual will not be able to exercise its right to erasure (GDPR, art. 17) nor its right to data portability (GDPR, art. 20). The other rights however remain exercisable, i.e. the rights to access (GDPR, art. 15), rectify (GDPR, art. 16), restrict the processing (GDPR, art. 18), object to the processing (GDPR, art. 21), as well as the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (GDPR, art. 22)
8 EDPB, Guidelines 8/2020 on the targeting of social media users, para. 48. See also the opinion of the predecessor of the EDPB on the former Directive 95/46 Article 29 Working Group, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, p. 10: "[T]he text of the Directive does not make a legal distinction between the six grounds and does not suggest that there is a hierarchy among them. There is not any indication that Article 7(f) should only be applied in exceptional cases and the text also does not otherwise suggest that the specific order of the six legal grounds would have any legally relevant effect".
9 ICO, "Sample LIA template", online: https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fico.org.uk%2Fmedia%2Ffor-organisations%2Fforms%2F2258435%2Fgdpr-guidance-legitimate-interests-sample-lia-template.docx&wdOrigin=BROWSELINK
10 GDPR, rec. 47/
11 GDPR, art. 12; 13(1)(d); 14(2)(b).
12 OneTrust DataGuidance, "EU: IAB Europe's guide on legitimate interests assessments for digital advertising-Highlights and concerns", online: https://www.dataguidance.com/opinion/eu-iab-europes-guide-legitimate-interests: "Of the six lawful bases for processing set out in Article 6 of the General Data Protection Regulation (Regulation [EU] 2016/679) ('GDPR'), none has resulted in more confusion than legitimate interests. [...] Legitimate interests affords considerable flexibility and appears to offer an alternative to the technical challenges associated with acquiring consent, particularly in the complex Ad Tech ecosystem. This makes it very attractive to controllers. However, it is not always immediately clear when relying on legitimate interests will be appropriate."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.