Simon's Megalomaniacal Legal Resources

Privacy - PIPEDA (2)

. Canada (Privacy Commissioner) v. Facebook, Inc. [consent]

In Canada (Privacy Commissioner) v. Facebook, Inc. (Fed CA, 2024) the Federal Court of Appeal allowed an appeal by the Privacy Commissioner from a decision of the Federal Court which dismissed an application that the respondent Facebook "breached the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA) through its practice of sharing Facebook users’ personal information with third-party applications (apps) hosted on the Facebook platform".

Here the court considers the issue of PIPEDA 'consent', here engaging in a preliminary canvassing of relevant statutory provisions:

Statutory Provisions

[28] This appeal concerns the scope of the obligations of meaningful consent and safeguarding as set out in Schedule 1 of PIPEDA. Organizations must comply with Schedule 1 of PIPEDA pursuant to subsection 5(1) of PIPEDA.

[29] Meaningful consent and safeguarding are legislatively prescribed terms, set out as "“Principles”" in the Act. Meaningful consent is described in clause 4.3 of Schedule 1 of PIPEDA as "“Principle 3”". Section 6.1 of PIPEDA was added in 2015. It incorporates as a separate section in (in somewhat clearer terms) the obligations that were already contained in Principle 3 of the Schedule:

Valid Consent

Validité du consentement

6.1: For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

6.1: Pour l’application de l’article 4.3 de l’annexe 1, le consentement de l’intéressé n’est valable que s’il est raisonnable de s’attendre à ce qu’un individu visé par les activités de l’organisation comprenne la nature, les fins et les conséquences de la collecte, de l’utilisation ou de la communication des renseignements personnels auxquelles il a consenti.

...

[...]

4.3 Principle 3 - Consent

4.3 Troisième principe — Consentement

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Toute personne doit être informée de toute collecte, utilisation ou communication de renseignements personnels qui la concernent et y consentir, à moins qu’il ne soit pas approprié de le faire.

4.3.1: Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).

4.3.1: Il faut obtenir le consentement de la personne concernée avant de recueillir des renseignements personnels à son sujet et d’utiliser ou de communiquer les renseignements recueillis. Généralement, une organisation obtient le consentement des personnes concernées relativement à l’utilisation et à la communication des renseignements personnels au moment de la collecte. Dans certains cas, une organisation peut obtenir le consentement concernant l’utilisation ou la communication des renseignements après avoir recueilli ces renseignements, mais avant de s’en servir, par exemple, quand elle veut les utiliser à des fins non précisées antérieurement.

4.3.2: The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

4.3.2: Suivant ce principe, il faut informer la personne au sujet de laquelle on recueille des renseignements et obtenir son consentement. Les organisations doivent faire un effort raisonnable pour s’assurer que la personne est informée des fins auxquelles les renseignements seront utilisés. Pour que le consentement soit valable, les fins doivent être énoncées de façon que la personne puisse raisonnablement comprendre de quelle manière les renseignements seront utilisés ou communiqués.

4.3.3: An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

4.3.3: Une organisation ne peut pas, pour le motif qu’elle fournit un bien ou un service, exiger d’une personne qu’elle consente à la collecte, à l’utilisation ou à la communication de renseignements autres que ceux qui sont nécessaires pour réaliser les fins légitimes et explicitement indiquées.

4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

4.3.4: La forme du consentement que l’organisation cherche à obtenir peut varier selon les circonstances et la nature des renseignements. Pour déterminer la forme que prendra le consentement, les organisations doivent tenir compte de la sensibilité des renseignements. Si certains renseignements sont presque toujours considérés comme sensibles, par exemple les dossiers médicaux et le revenu, tous les renseignements peuvent devenir sensibles suivant le contexte. Par exemple, les nom et adresse des abonnés d’une revue d’information ne seront généralement pas considérés comme des renseignements sensibles. Toutefois, les nom et adresse des abonnés de certains périodiques spécialisés pourront l’être.

4.3.5: In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

4.3.5: Dans l’obtention du consentement, les attentes raisonnables de la personne sont aussi pertinentes. Par exemple, une personne qui s’abonne à un périodique devrait raisonnablement s’attendre à ce que l’entreprise, en plus de se servir de son nom et de son adresse à des fins de postage et de facturation, communique avec elle pour lui demander si elle désire que son abonnement soit renouvelé. Dans ce cas, l’organisation peut présumer que la demande de la personne constitue un consentement à ces fins précises. D’un autre côté, il n’est pas raisonnable qu’une personne s’attende à ce que les renseignements personnels qu’elle fournit à un professionnel de la santé soient donnés sans son consentement à une entreprise qui vend des produits de soins de santé. Le consentement ne doit pas être obtenu par un subterfuge.

4.3.6: The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).

4.3.6: La façon dont une organisation obtient le consentement peut varier selon les circonstances et la nature des renseignements recueillis. En général, l’organisation devrait chercher à obtenir un consentement explicite si les renseignements sont susceptibles d’être considérés comme sensibles. Lorsque les renseignements sont moins sensibles, un consentement implicite serait normalement jugé suffisant. Le consentement peut également être donné par un représentant autorisé (détenteur d’une procuration, tuteur).

4.3.7: Individuals can give consent in many ways. For example:

4.3.7: Le consentement peut revêtir différentes formes, par exemple :

(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;

a) on peut se servir d’un formulaire de demande de renseignements pour obtenir le consentement, recueillir des renseignements et informer la personne de l’utilisation qui sera faite des renseignements. En remplissant le formulaire et en le signant, la personne donne son consentement à la collecte de renseignements et aux usages précisés;

(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;

b) on peut prévoir une case où la personne pourra indiquer en cochant qu’elle refuse que ses nom et adresse soient communiqués à d’autres organisations. Si la personne ne coche pas la case, il sera présumé qu’elle consent à ce que les renseignements soient communiqués à des tiers;

(c) consent may be given orally when information is collected over the telephone; or

c) le consentement peut être donné de vive voix lorsque les renseignements sont recueillis par téléphone; ou

(d) consent may be given at the time that individuals use a product or service.

d) le consentement peut être donné au moment où le produit ou le service est utilisé.

[30] Principles of safeguarding are set out in clause 4.7 of Schedule 1 of PIPEDA as "“Principle 7”". The relevant portions are set out below:

4.7 Principle 7 - Safeguards

4.7 Septième principe - Mesures de sécurité

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Les renseignements personnels doivent être protégés au moyen de mesures de sécurité correspondant à leur degré de sensibilité.

4.7.1: The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

4.7.1: Les mesures de sécurité doivent protéger les renseignements personnels contre la perte ou le vol ainsi que contre la consultation, la communication, la copie, l’utilisation ou la modification non autorisées. Les organisations doivent protéger les renseignements personnels quelle que soit la forme sous laquelle ils sont conservés.

4.7.2: The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.

4.7.2: La nature des mesures de sécurité variera en fonction du degré de sensibilité des renseignements personnels recueillis, de la quantité, de la répartition et du format des renseignements personnels ainsi que des méthodes de conservation. Les renseignements plus sensibles devraient être mieux protégés. La notion de sensibilité est présentée à l’article 4.3.4.

4.7.3: The methods of protection should include

4.7.3: Les méthodes de protection devraient comprendre:

(a) physical measures, for example, locked filing cabinets and restricted access to offices;

a) des moyens matériels, par exemple le verrouillage des classeurs et la restriction de l’accès aux bureaux;

(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and

b) des mesures administratives, par exemple des autorisations sécuritaires et un accès sélectif; et

(c) technological measures, for example, the use of passwords and encryption.

c) des mesures techniques, par exemple l’usage de mots de passe et du chiffrement.

4.7.4: Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

4.7.4: Les organisations doivent sensibiliser leur personnel à l’importance de protéger le caractère confidentiel des renseignements personnels.

[31] Finally, section 3 of PIPEDA sets out PIPEDA’s purpose:

Purpose

Objet

3: The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

3: La présente partie a pour objet de fixer, dans une ère où la technologie facilite de plus en plus la circulation et l’échange de renseignements, des règles régissant la collecte, l’utilisation et la communication de renseignements personnels d’une manière qui tient compte du droit des individus à la vie privée à l’égard des renseignements personnels qui les concernent et du besoin des organisations de recueillir, d’utiliser ou de communiquer des renseignements personnels à des fins qu’une personne raisonnable estimerait acceptables dans les circonstances.

. Google LLC v. Canada (Privacy Commissioner)

In Google LLC v. Canada (Privacy Commissioner) (Fed CA, 2023) the Federal Court of Appeal considered (and denied) an appeal against a Federal Court reference ruling (initiated by the Privacy Commissioner of Canada) that PIPEDA applied to Google's operation in Canada.

In these quotes the court concludes that PIPEDA (Part 1) does apply to Google's search engine activities as they do not "involves the collection, use, or disclosure of personal information for journalistic, artistic or literary purposes and for no other purpose" (the 'journalistic purpose' exception) [PIPEDA s.4(2)(c)]:

[41] In answering this question, the reference judge did not accept Google’s submission, supported by the intervener Canadian Broadcasting Corporation / Société Radio-Canada (CBC), that she should consider only the articles published by recognized news media that prompted the complaint. She pointed out that even if the Court’s analysis was limited to searches on an individual’s name, a search of that kind could return not only news articles but a variety of other types of content, including personal blogs and websites, social media sites, and websites of businesses, governments, and non-governmental organizations. The resulting display of personal information, she stated, could go well beyond media content; it was “wide and varied”.

[42] The reference judge went on to address the contention that Google Search facilitates access to information, such as news media, and should therefore be regarded as publishing that information, an element of journalism. In declining to accept that proposition, the reference judge drew by analogy on Crookes v. Newton, 2011 SCC 47 at paras. 27-30, in which the Supreme Court held in the defamation context that hyperlinks do not amount to publication of the linked information. Like hyperlinks, she reasoned, internet searches give the search engine no control over content, express no opinion, and involve no content creation. An “ordinary understanding of the word journalism,” she stated, “encompasses content creation and content control [...]”.

[43] The reference judge found support for this proposition in the three-part definition of journalism developed by the Ethics Advisory Committee of the Canadian Association of Journalists (CAJ), proposed by the Commissioner and accepted by the Federal Court in AT v. Globe24h.com, 2017 FC 114 at para. 68. According to that definition, as set out by the Court in Globe24h.com,

an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation”.

[44] The reference judge concluded that the operation of the Google search engine did not meet the Globe24h.com test, even if only the search results for the complainant’s name were considered:

[F]irst, Google makes information universally accessible, which is much broader than informing a community about issues the community values; second, Google does not create or produce anything—it only displays search results; and third, there is no effort on the part of Google to determine the fairness or the accuracy of the search results. The publishers would be accountable for the accuracy of the content of a search result, not Google.

[45] Continuing with her analysis of the second question, the reference judge turned to the “and for no other purpose” element of paragraph 4(2)(c). She agreed with the proposition put forward by Google that this phrase does not exclude commercial organizations because, in order for a paragraph 4(2)(c) issue to arise, the organization must be engaged in commercial activities within the meaning of subsection 4(1).

[46] However, she stated, citing the statutory interpretation principle that the legislature does not speak in vain and the presumption against tautology, this did not mean that the phrase has no meaning. The exemption under paragraph 4(2)(c) applies only where information is collected, used or disclosed exclusively for journalistic purposes, and she saw it as clear that the purposes of Google Search extend beyond journalism. She characterized its primary purpose as to index and present search results. This, she stated, was not primarily a journalistic purpose, because the only defining feature of journalism it entailed was to facilitate access to information.

[47] The reference judge also rejected the CBC’s submission that PIPEDA should be interpreted and applied in a manner that protects the freedom of expression guaranteed by the Charter. Referring to the Supreme Court’s decision in Wilson v. British Columbia (Superintendent of Motor Vehicles), 2015 SCC 47 at para. 25, she stated that it was not necessary to resort to Charter values in interpreting a statute absent a genuine ambiguity in its interpretation. She saw no ambiguity in the case before her: Parliament had limited PIPEDA to protecting journalism specifically and not expression more generally; it had protected the collection, disclosure, and use of personal information only for exclusively journalistic purposes; and the ordinary understanding of journalism, as proffered by journalists themselves, did not extend to Google’s search engine.

[48] She expressed her overall conclusion on the paragraph 4(2)(c) exemption issue as follows: “Google’s purposes for collecting, using and disclosing personal information […] are not journalistic, and they are certainly not exclusively so.” Accordingly, she answered “no” to the second reference question.

At paras 67-91 the court considers (and dismisses) Google's appeal arguments on this 'journalistic purpose' exception.

. Google LLC v. Canada (Privacy Commissioner)

In Google LLC v. Canada (Privacy Commissioner) (Fed CA, 2023) the Federal Court of Appeal considered (and denied) an appeal against a Federal Court reference ruling (initiated by the Privacy Commissioner of Canada) that PIPEDA applied to Google's operation in Canada.

In these quotes the court concludes that PIPEDA (Part 1) does apply to Google's search engine activities as they "service, collect, use or disclose personal information in the course of commercial activities within the meaning of paragraph 4(1)(a) of PIPEDA when it indexes web pages and presents search results in response to searches of an individual’s name":

[38] On the first sub-question, the reference judge determined that Google engages in collection when its crawlers access and copy the content on publicly accessible webpages, that it uses and discloses personal information of the subjects of a search, and that (as Google acknowledged) it also collects, uses, and discloses personal information of the individuals performing a search.

[39] On the second sub-question, she rejected Google’s contention, based on the traditional meaning of the term, that its search engine is not engaged in commercial activities. She described Google’s approach to this sub-question, which focused in large part on the fact that a search is free to the user, as “microscopic”, and as failing to recognize that personal information has itself become a commodity, which can be mined and used for profit. She referred to, among other things, the fact that Google is a for-profit corporation, and its acknowledgments that the bulk of its revenue comes from advertising, and that its search and other online services generate most of its advertising revenue. She found that “every component of [Google’s] business model is a commercial activity as contemplated by PIPEDA.” Accordingly, she answered the first reference question in the affirmative.

. Google LLC v. Canada (Privacy Commissioner)

In Google LLC v. Canada (Privacy Commissioner) (Fed CA, 2023) the Federal Court of Appeal considered (and denied) an appeal against a Federal Court reference ruling (initiated by the Privacy Commissioner of Canada) that PIPEDA applied to Google's operation in Canada.

In these quotes the court sets out the statutory framework of Part 1 ['Protection of Personal Information in the Private Sector'] of PIPEDA:

II. Statutory framework

[7] Part 1 of PIPEDA, entitled “Protection of Personal Information in the Private Sector,” is Canada’s federal private sector privacy legislation. (Part 2 of PIPEDA, entitled “Electronic Documents”, is not in issue here.)

[8] The purpose of Part 1, set out in section 3 of the Act as follows, is to establish rules that balance individuals’ right of privacy in personal information with organizations’ need to collect, use, or disclose that information:

3 The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

3 La présente partie a pour objet de fixer, dans une ère où la technologie facilite de plus en plus la circulation et l’échange de renseignements, des règles régissant la collecte, l’utilisation et la communication de renseignements personnels d’une manière qui tient compte du droit des individus à la vie privée à l’égard des renseignements personnels qui les concernent et du besoin des organisations de recueillir, d’utiliser ou de communiquer des renseignements personnels à des fins qu’une personne raisonnable estimerait acceptables dans les circonstances.

[9] Section 4 of PIPEDA governs the application of Part 1. Where Part 1 applies to an organization, the organization is subject to a series of principles in its collection, use, or disclosure of personal information. Among them is the principle set out in section 4.3 of Schedule I of the Act. It stipulates that “the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate” / “Toute personne doit être informée de toute collecte, utilisation ou communication de renseignements personnels qui la concernent et y consentir, à moins qu’il ne soit pas approprié de le faire.”.

[10] Section 4 reads in relevant part as follows (emphasis added):

4 (1) This Part applies to every organization in respect of personal information that

4 (1) La présente partie s’applique à toute organisation à l’égard des renseignements personnels :

(a) the organization collects, uses or discloses in the course of commercial activities; […]

(a) soit qu’elle recueille, utilise ou communique dans le cadre d’activités commerciales; […]

(2) This Part does not apply to: […]

(2) la présente partie ne s’applique pas : […]

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

(c) à une organisation à l’égard des renseignements personnels qu’elle recueille, utilise ou communique à des fins journalistiques, artistiques ou littéraires et à aucune autre fin.

[11] Certain definitions, set out in section 2 of the Act, bear on the scope of these provisions:

organization includes an association, a partnership, a person and a trade union.

organisation S’entend notamment des associations, sociétés de personnes, personnes et organisations syndicales.

personal information means information about an identifiable individual.

renseignement personnel Tout renseignement concernant un individu identifiable.

[12] However, the statute contains no definition of “journalistic purpose” / “fins journalistiques” or of “journalism” / “journalisme”.

[13] The Privacy Commissioner of Canada, an officer of Parliament, is mandated to oversee compliance with PIPEDA. Section 11 of the Act authorizes an individual to file with the Commissioner a written complaint against an organization for contravening, among other things, a provision of Division 1 of Part 1 of the Act, which deals with the protection of personal information. The Commissioner may also initiate a complaint if satisfied that there are reasonable grounds to investigate a matter.

[14] Subject to certain exceptions not applicable here, section 12 of the Act requires the Commissioner to investigate complaints. Section 12.1 of the Act gives the Commissioner or a delegate, in the conduct of an investigation, powers that include compelling oral or written evidence, compelling production of records, and entry of any premises other than a dwelling-house.

[15] However, the Commissioner has no authority to compel a resolution of a complaint or to grant a remedy to the complainant. Rather, PIPEDA vests remedial authority in the Federal Court. As set out in section 13, the most the Commissioner may do in response to a complaint is to issue a report containing findings and recommendations. By section 14, it is then open to the complainant—or to the Commissioner where the Commissioner initiated the complaint and certain other pre-conditions are met—to apply to the Federal Court for a hearing. By section 15, the Commissioner may also, with leave of the Court, appear as a party to any hearing applied for under section 14.

[16] A hearing under section 14 is “a proceeding de novo”. By section 17, it is to be heard in a summary way unless the Court considers that inappropriate. What is in issue in a section 14 hearing “is not the Commissioner’s report, but the conduct of the party against whom the complaint is filed.” “[T]he report of the Commissioner, if put in evidence, may be challenged or contradicted like any other document adduced in evidence”: Englander v. TELUS Communications Inc., 2004 FCA 387 at paras. 47-48; Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533 at para. 49.

[17] Section 16 of PIPEDA confers on the Federal Court broad remedial powers. They include authority to make compliance orders and award damages, including damages for any humiliation the complainant has suffered.