[ad_1]
While consent remains at the heart of the proposed Consumer Privacy Protection Act
(“CPPA”) introduced in Bill C-27, which seeks to reform
the Personal Information Protection and Electronic Documents
Act (PIPEDA), the CPPA provides with a new exception to the
requirement for consent: “legitimate interest”. This new
exception is reminiscent of the legal basis of the same name found
in the General Data Protection
Regulation(“GDPR”) in Europe since its entry
into force in 2018. Through a brief overview of the concept in
Europe, in which it has been evolving for several years, we will
attempt to shed light on the anticipated ins and outs of this
proposed exception to the requirement for consent in Canada.
1. In Canada: Legitimate Interest as an Exception to the
Requirement for Consent
The federal government’s proposed CPPA, reaffirms consent as
the basis for the collection, use and disclosure of personal
information under federal private sector privacy law, while also
providing for two new broader-based exceptions to consent in
addition to thelong list of narrower exceptions to this general
rule (which are largely also present in PIPEDA). 1
One of the two new broader exceptions to consent isan
exceptionwhere a legitimate interest would outweigh any
potential adverse effect on the individual resulting
fromthe collection or use of their personal information,
2 provided that:
a. the individual would expect the
collection or use; and
b. it is not for the purposes of
influencing the behaviours or decisions of such individual (e.g.
for behavioural marketing purposes). 3
The use of the legitimate interest exception is however subject
to the completion of a prior assessment where the organization
must:
1. identify any potential adverse
effect on the individual that is likely to result from the
collection or use for such activity;
2. identify and document how it takes
reasonable measures to reduce the likelihood that the effects will
occur or to mitigate or eliminate them; and
3. documents how it complies with any
prescribed requirements. 4
An organization must keep records with respect to the foregoing
and must, on request, provide a copy of the assessment to the
Privacy Commissioner of Canada. 5 In its policies and
practices, the organization must also make readily available
information on how it uses the personal information and of how it
applies the exceptions to the requirement to obtain an
individual’s consent, including a description of any activities
in which it has a “legitimate interest”. 6
Thus, the “legitimate interest” proposed in Bill C-27
is an alternative to consent that, in case where it is permitted,
requires careful advanced documentation, as well as transparent
disclosure of its use in the organization’s policies. As a
result, the best and most convenient practice would remain to
obtain consent for the collection, use and disclosure of personal
information where possible.
2. Parallel with the Legitimate Interest Legal Basis Under the
GDPR
Under the GDPR, and contrary to Canadian privacy laws which are
firmly consent-based, several legal bases existfor the processing
of personal information as set out inarticle 6 of the GDPR:
6(1). Processing shall be lawful only
if and to the extent that at least one of the following
applies:
(a) the data subject has given
consent to the processing of his or her personal data for one or
more specific purposes;
(b) processing is necessary for the
performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to
entering into a contract;
(c) processing is necessary for
compliance with a legal obligation to which the controller is
subject;
(d) processing is necessary in order
to protect the vital interests of the data subject or of another
natural person;
(e) processing is necessary for the
performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
(f) processing is necessary for the
purposes of the legitimate interests pursued by the controller or
by a third party, except
where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a
child.
Point (f) of the first subparagraph
shall not apply to processing carried out by
public authorities in the performance of their tasks.
[…]
If the legitimate interestlegal basis is the last one on the
list provided by article 6, it does not mean that it is less
important than the others or that it is an exception to a general
rule. On the contrary, it is one of the possible bases for the
processing, like consent. There is no hierarchy between the
legitimate interest and consent under the GDPR. 7
Indeed, according to the European Data Protection Board
(“EDPB”):
[…] no specific hierarchy is made
between the different lawful basis of the GDPR: the controller
needs to ensure that the selected lawful basis matches the
objective and context of the processing operation in question. The
identification of the appropriate lawful basis is tied to
principles of fairness and purpose limitation. 8
In order to rely on the legitimate interest legal basis, the
controller must first perform a three-step test to recognize
that:
1. the pursuit of the interest by the
controller or by the third party or parties to whom the personal
information is disclosed is “legitimate” (purpose
test);
2. the processing of personal
information is necessary for the achievement of the legitimate
interest pursued (necessity test); and
3. the controller’s legitimate
interests are not overridden by the interests or fundamental
rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject
is a child (balancing test)
This test, generally referred to as the Legitimate Interest
Assessment (“LIA”), is not expressly mentioned in Article
6 of the GDPR. That being said, organizations in Europe can rely on
the guidance and templates provided by the United Kingdom (UK)
Information Commissioner’s Office (“ICO”) to conduct
their LIA in Europe, which details the LIA as reproduced above.
9
Contrary to the CPPA, which refers to “potential
adverse effect“, the GDPR refers to “the
interests or fundamental rights and freedoms of the data
subject“. Pursuant to the GDPR, in order to assess
whether the legitimate interest is overridden by the fundamental
rights and freedoms of the individuals (balancing test),
the controller shall take into account the reasonable expectations
of data subjects (individuals)based on their relationship with the
controller. Indeed, according to recital 47 of the GDPR:
(47) The legitimate interests of a
controller, including those of a controller to which the personal
data may be disclosed, or of a third party, may provide a legal
basis for processing, provided that the interests or the
fundamental rights and freedoms of the data subject are not
overriding, taking into consideration the reasonable expectations
of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a
relevant and appropriate relationship between the data subject and
the controller in situations such as where the data subject is a
client or in the service of the controller. At any rate the
existence of a legitimate interest would need careful assessment
including whether a data subject can reasonably expect at the time
and in the context of the collection of the personal data that
processing for that purpose may take place. The interests and
fundamental rights of the data subject could in particular override
the interest of the data controller where personal data are
processed in circumstances where data subjects do not reasonably
expect further processing. […].
As mentioned, the assessment above must be documented.
10 The organization must also take appropriate measures
to provide information regarding the reliance on a legitimate
interest to individuals. 11
In short, the Canadian and European tests both include a
balancing test of the legitimate interest of the organization
against the interests or fundamental rights and freedoms of the
data subject in Europe or potential adverse effects
on the individual in Canada. To date, the question arises as how to
interpret “potential adverse effect“, since
thisexpression seems to be broad, but we do not expect that it
would be more permissive than the GDPR. The criteria used in Europe
could serve as inspiration in Canada if the text of Bill C-27 was
adopted as is, pending Canadian documentation similar to that
provided by the ICO which would certainly be welcomed by the
industry.
Conclusion
The introduction of the notion of “legitimate
interest” in Canada is a breath of fresh air in the world of
privacy, which has long called for uniformity of the legal concepts
and rules in the context of frequent inter-jurisdictional transfers
of personal information. In the absence of more guidance on the
concept of legitimate interestintroduced in Bill C-27,the criteria
and documentation used on the other side of the Atlantic could be
useful to organizations that would besubject to the proposed CPPA
in Canada.
However, in order to avoid organizations taking refuge in this
exception as soon as consent is difficult to obtain, the Canadian
government will have to ensure that it provides tools and
procedures to crystalizethe concept, its assessment and application
criteria that go beyond the threshold set out in the CPPA, similar
to the initiatives of the ICO in the UK. In this way, it can avoid
repeating the confusion that has arisen surrounding legitimate
interest in Europe. 12
Footnotes
1 CPPA, s. 15.
2 The exception therefore does not apply to the
communication of personal information.
3 CPPA, s. 18(3).
4 CPPA, s. 18(4)
5 CPPA, s. 18(5).
6 CPPA, s. 62(2)(b).
7 Individual’s rights shall still be respected. That
being said, if the controller relies on the legitimate interest
legal basis under the GDPR, the individual will not be able to
exercise its right to erasure (GDPR, art. 17) nor its right to data
portability (GDPR, art. 20). The other rights however remain
exercisable, i.e. the rights to access (GDPR, art. 15), rectify
(GDPR, art. 16), restrict the processing (GDPR, art. 18), object to
the processing (GDPR, art. 21), as well as the right not to be
subject to a decision based solely on automated processing,
including profiling, which produces legal effects concerning him or
her or similarly significantly affects him or her. (GDPR, art.
22)
8 EDPB, Guidelines 8/2020 on the targeting of social media
users, para. 48. See also the opinion of the predecessor of the
EDPB on the former Directive 95/46 Article 29 Working Group, Opinion 06/2014 on the notion of legitimate
interests of the data controller under Article 7 of Directive
95/46/EC, p. 10: “[T]he text of the Directive does not
make a legal distinction between the six grounds and does not
suggest that there is a hierarchy among them. There is not any
indication that Article 7(f) should only be applied in exceptional
cases and the text also does not otherwise suggest that the
specific order of the six legal grounds would have any legally
relevant effect”.
9 ICO, “Sample LIA template”, online: https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fico.org.uk%2Fmedia%2Ffor-organisations%2Fforms%2F2258435%2Fgdpr-guidance-legitimate-interests-sample-lia-template.docx&wdOrigin=BROWSELINK
10 GDPR, rec. 47/
11 GDPR, art. 12; 13(1)(d); 14(2)(b).
12 OneTrust DataGuidance, “EU: IAB
Europe’s guide on legitimate interests assessments for digital
advertising-Highlights and concerns”, online: https://www.dataguidance.com/opinion/eu-iab-europes-guide-legitimate-interests:
“Of the six lawful bases for processing set out in Article 6
of the General Data Protection Regulation (Regulation [EU]
2016/679) (‘GDPR’), none has resulted in more confusion
than legitimate interests. […] Legitimate interests affords
considerable flexibility and appears to offer an alternative to the
technical challenges associated with acquiring consent,
particularly in the complex Ad Tech ecosystem. This makes it very
attractive to controllers. However, it is not always immediately
clear when relying on legitimate interests will be
appropriate.”
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link
