The New “Legitimate Interests” Exception to Consent: What Can We Learn From the EU?
This article was first published in the Canadian Privacy Law Review, VOLUME 19, NUMBER 11, (2022), 19 C.P.L.R., October 2022
One of the major changes brought by Bill C-27, Canada’s new privacy bill, is the possibility for organizations to rely on a new exception to consent: “legitimate interests”. Organizations may decide not to provide notice and not to collect consent if they can prove that (i) they have legitimate interest that outweighs any adverse effect on the individual, (ii) the processing does not intend to influence the individual’s behavior or decisions, and (iii) such processing falls within an individual’s reasonable expectations.
Relying on legitimate interest can be useful, but it is not simple. Bill C-27 leaves many unanswered questions about qualifying “legitimate interests” and determining and measuring adverse effects. We, therefore, turn to laws such as the European General Data Protection Regulation (“GDPR”), which allows organizations to process personal information under the “legitimate interests” lawful basis, provided that
1. the interest is legitimate;
2. the processing is necessary to reach this interest; and
3. the rights and interests of individuals are not overridden by the interests.
Additionally, both pieces of legislation require organizations to perform a Legitimate Interest Assessment (“LIA”). An LIA is a self-guided assessment to determine if the conditions of “legitimate interests” are fulfilled.
In this context, both pieces of legislation require similar types of questions to be answered, leading us to consider the GDPR as a model to help Canadian organizations perform their own LIA. The GDPR LIA is a three-step test as set out below.
1. Is the interest pursued “legitimate”?
The first step is to identify an interest and to prove that it is legitimate. The list of legitimate objectives is potentially very broad, but most importantly, the identified objectives must be ethical and lawful (lawfulness being one of the explicit conditions under Bill C-27 as well). In addition, organizations should have a clear and specific outcome in mind and should not rely on vague or generic business interests (e.g., “we want to grow our business”).
Under the GDPR, there is no exhaustive list of legitimate interests, but it has been recognized that the following may qualify as such: network security, fraud prevention, commercial prospecting, transmission of personal data within a group of undertakings for internal administrative purposes, reporting criminal acts or threats to public security to a competent authority, employee monitoring for safety, direct marketing, etc.
The interests identified in the context of the GDPR as legitimate can potentially be considered g legitimate under Bill C-27 as well. One point to remember, however, is that Bill C-27 states that legitimate interests cannot be used to influence the individual’s behavior or decisions. Therefore, “direct marketing” and “commercial prospecting” cannot constitute legitimate interests for Canadian organizations.
2. Is the processing necessary to achieve this interest?
Organizations must then verify that the processing will actually allow them to achieve the pursued objective. Concretely, the questions to ask are the following: i) will the processing help to achieve the purpose, ii) is the processing proportionate to the purpose, and iii) is it possible to achieve the same purpose without the processing or by processing data in a less intrusive way?
Take the example of a financial institution that wants to open an account for a new client. Their legitimate interest is to prevent fraud. To achieve this objective, they would need to verify the individual’s identity. Collecting personal information would be necessary to achieve this objective, and processing government-issued photo ID would likely be the least intrusive way to achieve this. However, if the organization started asking for information on an individual’s lifestyle (grocery shopping habits, how many cars they have, etc.) this would probably not be considered necessary.
3. Do individuals’ rights and freedoms override the legitimate interests?
This is the trickiest question under the three-step test. Under the GDPR, organizations must balance their legitimate interests with the rights and freedoms of the individual. If organizations can prove that their interests are not overridden by the rights and freedoms of the individuals (i.e., if they can demonstrate that the balance is in their favor), then they can rely on the “legitimate interests” lawful basis. In a similar vein, Bill C-27 states that organizations can decide not to inform individuals, and not to collect their consent, if they have a legitimate interest that outweighs any adverse effect on the individual.
Therefore, both legislations call for a balancing exercise, which can be achieved by asking two questions.
· How does the processing activity impact individuals?
The objective here is to build a “provisional” balance by following the steps below.
First, an in-depth analysis of the processing activity must be performed by taking into account (i) the nature of the personal data (e.g., whether it is sensitive data), ii) the status of the individual (e.g., whether the individual is a child, an employee, a student, a patient), (iii) the nature of the organization’s relation with the individual (e.g., whether the organization is in a dominant market position, or whether it is an employer), and (iv) the way the personal data is processed (e.g., on a large scale, or with data mining, profiling, disclosing to a large number of organizations.).
Then, organizations must identify the interests of the individual that could be impacted. Under the GDPR, organizations must not only look at privacy rights, but also, more broadly, at all other fundamental rights (e.g., freedom of expression and information, right to property, etc.). Organizations should also look at the physical, economic or social situations of the individual (e.g., will the processing activity impact the individual’s access to university? Will it cause them a financial harm or deprive them of access to an essential service?)
Finally, organizations must analyze the reasonable expectations of the individual. Since individuals will not provide consent to the processing activity, individuals should not be surprised by the processing. Organizations subject to Bill C-27 are not required to provide notice to rely on legitimate interests, most probably leading to a “reasonable expectation” threshold that is much higher than under GDPR.
European regulators provide a useful example in their guidelines (Opinion 06/2014 of the Article 29 Data Protection Working Party, adopted on 9 April 2014, which, even if adopted before the GDPR, can remain relevant today): if a pizza chain sells information to an insurance company to determine health insurance premiums, the insurance company may have a legitimate interest to assess health risks. However, a reasonable person would not expect their pizza-eating habits to be used to calculate their insurance premiums.
In this context, Canadian organizations may ask similar questions as the ones identified above to evaluate the impact of their collection, use and disclosure practices on individuals.
· How to minimize the impact of the processing on individuals?
Minimizing the impact of the processing is another common point between the GDPR and Bill C-27. To rely on “legitimate interests” under the GDPR, organizations must be able to prove that they have established additional safeguards, knowing that these measures should be on-top of any measures taken to be compliant. The measures organizations may implement, include, for example:
functional separation of data, use of anonymization, encryption;
immediate deletion of data after use;
mechanisms for individuals to directly access, modify, delete, transfer their own data; and
privacy-enhancing technologies and privacy by design.
These measures may also qualify as relevant safeguards for Canadian organizations in order to minimize the potential adverse effects of their processing activities. Furthermore, under Bill C-27, an additional safeguard may consist, for example, in providing specific and clearly visible information to the individual on the processing activity, insofar as providing notice is not an automatic requirement to rely on “legitimate interests”.
In a nutshell, the concepts of “legitimate interests” and LIA are new for Canadian organizations, and foreign regulators and courts’ experiences with other laws, such as the GDPR, can provide useful context and guidance as Canadian organizations navigate the intricacies of their new privacy law.