In the digital age, personal information and data is a new quasi-currency. Privacy is often the trade-off to use a digital service that is 'free' in the traditional sense. As early as 2009, the OPC recognized this trade-off, and found, for example:
Facebook has a different business model from organizations we have looked at to date. The site is free to users but not to Facebook, which needs the revenues from advertising in order to provide the service. From that perspective, advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertising.
In May, the Office of the Privacy Commissioner of Canada (the "OPC") introduced Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (the "Inappropriate Data Practices Guidelines"). The Guidelines interpret Subsection 5(3) of PIPEDA:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Applying this subsection requires a balancing of interests between the individual and the organization, and this analysis should be viewed through the eyes of a reasonable person. The OPC is of the opinion that the following purposes for collection, use or disclosure of personal information would generally be considered "inappropriate" by a reasonable person and therefore are currently considered to be offside PIPEDA.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law. Data analytics or other profiling/categorization that could lead to discrimination contrary to human rights law would not be considered "appropriate". Unfair or unethical results will require a case-by-case assessment; however, the OPC is of the view that these types of results will also generally be found to be inappropriate.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual. Individuals typically understand that the digital marketplace is filled with privacy trade-offs; however, it is not appropriate for organizations to require an individual to undergo significant privacy harm as a known or probable cost for products or services. Significant harm means "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on (one's) credit record and damage to or loss of property".
- Publishing personal information with the intended purposes of charging individuals for its removal. "Blackmail" is not an appropriate purpose and this has previously been declared as offside to PIPEDA (see OPC investigation of Globe24h).
- Requiring passwords to social media accounts for the purpose of employee screening. Requiring passwords in order to access private social media accounts may expose highly sensitive personal information that are neither relevant nor necessary for the employers' legitimate business purposes. As a result, requiring passwords to social media accounts for the purposes of employee screening is generally not appropriate.
- Surveillance by an organization through audio or video functionality of the individual's own device. Generally speaking, organizations cannot track an individual through audio or video functionality of an individual's device, either covertly or with consent in instances where doing so is grossly disproportionate to the business objectives. It may be permissible for the audio or video functionality to be turned on in order to provide a service if the individual is fully aware and in control and the captured information is provided that the information is not recorded, used, disclosed or retained except for the purpose of providing the service.
- Collection, use or disclosure that is otherwise unlawful. Organizations should know all regulatory and legislative requirements that may govern their activities. Individuals should feel safe knowing the collection, use or disclosure of their personal information will not be done for purposes that contravene the laws of Canada or its provinces. This is supported by PIPEDA Principle 4 which requires collection to be "by fair and lawful means".
It is important that businesses be familiar with the Guidelines, as the OPC began applying them in July. The OPC noted that these "No-Go Zones" may evolve over time and plans to periodically revisit and update this list.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.