Three years ago, on January 1, 2019, the Office of the Privacy Commissioner of Canada (“OPCC”) began applying their Guidelines for obtaining meaningful consent when investigating complaints made under Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”). The guidelines foreshadowed a stricter approach by the privacy regulator to consent when investigating private sector organizations. Indeed, privacy policies have come under intense scrutiny over the past three years, as they form the basis of informed consent.
There has clearly been a greater expectation that these public-facing notices be detailed and transparent so individuals fully understand the nature, purpose and consequences of the collection, use or disclosure of their personal information. It is critical for condominium corporations to ensure their privacy policies are meeting these expectations.
Here are some of the key guiding principles for meaningful consent as outlined in the guidelines:
- Emphasize key elements in your privacy policy. The OPCC rightfully addresses the fact that complicated and lengthy privacy policies serve no practical purpose – individuals should be able to review the following key facts:
- What personal information is being collected by the organization;
- Who personal information is shared with;
- The purposes for which personal information is collected, used or disclosed; and
- The risk of harm or other consequences of the collection, use or disclosure to which they are consenting. As clarified by the OPCC, only meaningful risks of significant harm must be highlighted. Here, we are talking about risks that are more than a minimal or mere possibility. For example, the OPCC has held the position that if personal data is going to be processed or stored in a foreign jurisdiction, there is some risk that it could be disclosed to government or law enforcement officials of that country. Individuals should be informed of this risk. Another example is the risk associated with sending confidential personal information via insecure e-mail. It is important to alert individuals of this risk and recommend that such information not be sent in this way.
- Allow individuals to control the level of detail they get and when. This section of the guideline speaks to making the privacy policy readily available and presenting information in a layered format or with clear headings. By making your policy user-friendly with plain language, individuals are supported in understanding the organization’s information-handling practices.
- Be accountable by standing ready to demonstrate that the privacy policy implemented is sufficiently understandable (from the general perspective of the organization’s target audience) to allow for meaningful consent.
Here are two decisions that demonstrate how the OPCC has been examining privacy policies since introduction of the guidelines:
- PIPEDA Case Summary 2019-001: The OPCC investigated Loblaws’ transfer of personal information outside of Canada for its gift card program. The regulator concluded that the complaint was not well-founded, because limited information was shared with third parties and Loblaws was fully transparent about the process. An analysis of Loblaws’ privacy policy and contractual clauses with the service provider led to a finding that the accountability requirements in PIPEDA had been met.
- PIPEDA Case Summary 2020-001: A former TD Canada Trust employee complained TD outsourced aspects of its fraud claims processing services to a service provider in India without getting customer consent or offering the choice to opt out. Following an examination of TD’s Privacy Agreement and Privacy Code, the OPCC found TD was appropriately open to current and potential customers about its outsourcing arrangement. TD obtained consent to use customer information for fraud claims management. Separate consent was not needed for the transfer of customers’ information to the service provider for the same purpose.
Although PIPEDA only applies in the context of “commercial activities”, condo corporations should nevertheless act in a manner consistent with PIPEDA. Further, service providers (such as management and security) would be subject to PIPEDA in the course of their involvement in the condo corporation. In the context of a privacy complaint made against a condo corporation, its privacy policy would likely be carefully reviewed by Canada’s privacy regulator. Even in non-PIPEDA jurisdictions (B.C., Alberta and Quebec where provincial private sector privacy laws apply), it is clear that detailed public-facing polices are expected.
Condo corporations should review their privacy policies to ensure that they are in line with the Guidelines for Obtaining Meaningful Consent; and it would be a good time to make sure that any service providers who are provided with owner information have the appropriate policies in place.
