On October 31, 2023, the Commission d'accès à l'information (the "CAI") published the final version of its guidelines on criteria for valid consent (in French only), entitled Lignes directrices 2023-1 – Consentement : critères de validité, following a public consultation in which Fasken participated (to consult our brief, which sets out several recommendations that were retained, click here). These guidelines facilitate obtaining consent when applying privacy law.[1] More specifically, the purpose of the guidelines is to:
- help understand the criteria for obtaining valid consent;
- clarify organizations’ obligations when obtaining such consent;
- identify best practices that promote respect for individual privacy.[2]
The “Feedback Document Consultation sur le projet de Lignes directrices 2023-1 – Consentement : critères de validité” provided by the CAI with the final version of the guidelines is an interesting tool for interpreting the criteria.[3] In particular, it summarizes the comments on the draft guidelines published in May 2023, which the CAI considered when drafting this document.
The guidelines distinguish between obligations and best practices, which are highlighted throughout the document respectively in blue and green. This bulletin focuses on obligations for both the private and public sectors.
The flowchart below outlines the questions to consider when identifying situations that call for consent and to ensure the validity of the consent, based on the CAI’s guidelines.
CLICK HERE TO DOWNLOAD THE FLOWCHART (PDF 238 KO)
1. When Must Consent Be Obtained?
As with other requirements under privacy laws, it is important to consider the application of each consent requirement at every stage of the life cycleof personal information.
Scope of Guidelines
The CAI presumes in its guidelines that unlike other Canadian laws, Québec does not regulate the collection of personal information with consent, subject to exceptions.[4] According to the CAI, consent requirements would apply only to the use and communication of personal information. As such, the guidelines do not cover consent obtained during collection through the transparency requirement under the law.[5]
This stance is surprising, given that the guidelines state that they [translation] "concern the criteria for the validity of consent". If we take the CAI's comments into account, the guidelines do not seem to apply to the most common consent obtention framework, namely obtention during collection (see our brief, recommendation 4 at page 4).
According to the CAI, an organization should simply meet the following requirements when collecting personal information:
Necessity. Before collecting personal information, an organization must first meet the necessity requirement. This implies that all of the following conditions must be met:
- The purpose of the collection is legitimate, important and real;
- The information collection is rationally connected to the overall purpose, in other words, the loss of privacy is proportional to the benefit of that purpose;
- The loss of privacy is kept to a minimum. In other words, there are no other means of achieving the same purposes in a way that is less invasive.[6]
Transparency. Next, the organization must satisfy the transparency requirement by providing specific and complete information to the individual when the information is collected from them.[7] Once properly informed, an individual who provides their personal information is presumed to consent to the use and disclosure of their personal information for the “primary purposes” disclosed to them.[8]
Distinction Between Primary and Secondary Purposes
According to the CAI, consent requirements would be closely connected to the distinction between “primary” and “secondary” purposes. Presently, the law does not refer to nor define these concepts. Therefore, their significance in the guidelines is surprising. Although essential to implementing the guidelines, the proposed definitions of “primary” and “secondary purposes” raise practical difficulties.
The guidelines’ glossary suggests that a primary purpose is one that relates to the provision of any service or product, or access to employment, that is disclosed at the time of collection. Also according to the CAI, secondary purposes mean any other purposes pursued by an organization. These definitions create significant confusion. For example, would announcing a purpose that “relates to the provision of any product or service” (such as commercial prospecting) at the time of collection qualify it as a primary purpose, even if the information used for such prospecting is sensitive? This seems contrary to the spirit of the law and may exceed the reasonable expectations of those concerned, in our view.
The concept of primary purpose would need to be clarified to make the proposed use or communication essential to the provision of any product or service, which can then, logically, be the subject of presumed consent[9] (see our brief, recommendation 2 at page 2). Moreover, in our view, the timing of the disclosure of the purpose should not have any impact on the characterization of purpose as primary or secondary.
Application of Guidelines for Secondary Purposes
Based on the above, we understand that an organization should only obtain consent that meets the eight criteria described in the guidelines where it wishes to use or communicate personal information for a secondary purpose.
Similarly, an organization should obtain consent that meets these criteria to collect personal information from a minor under the age of 14 for purposes that are not clearly in the individual’s interest, and when it wants to collect personal information from a person other than the individual concerned, except where legal exemptions apply.[10]
2. Form of Consent
In certain situations or depending on the context, the law requires express consent. In other situations, an organization may therefore rely on implied consent.
Express Consent
Consent is express when a person takes an explicit action that clearly indicates the individual’s agreement, for example, by checking a box, filling out a form, answering yes to a question, affixing their signature, or making a statement before a witness.[11]
Implied Consent
Consent is implied if it is not explicitly given. The organization infers consent from another action taken by the individual, or from their inaction or silence; for example, when the individual continues to use the services of a supplier or makes a purchase after being informed of a change in the way personal information is processed. An organization must inform that individual beforehand that it will interpret this action, silence or inaction as consent. The individual should also have a reasonable opportunity to withhold or withdraw their consent.
Determining the Appropriate Form of Consent: Express or Implied?
Unless an organization can rely on an exception to consent, it must obtain express consent if:
- it wishes to use or communicate sensitive personal information for a secondary purpose.
- it wishes to use or communicate personal information for a purpose that is outside the reasonable expectations of the individual concerned, depending on the context.
- it wishes to use or communicate personal information for a purpose that could expose the individual to a risk of serious harm.
While the law is silent on this topic, the notions of reasonable expectations and risk of harm stem from a Supreme Court of Canada decision.[12]
In other situations, an organization may rely on implied consent. That said, the CAI states that situations where implied consent to a secondary purpose is appropriate are likely to be rather rare.[13]
3. Criteria for Validity of Consent
Where the law requires consent and the guidelines apply, consent must meet the following eight criteria, otherwise it will not be valid.
|
Clear |
It must be obvious and given in a way that demonstrates the true wishes of the individual concerned. |
|
Free |
An individual must be able to make a choice free of coercion or pressure. Consenting should be as easy as not consenting. Organizations must therefore allow individuals to refuse secondary purposes without influencing the initial agreement granting access to a product or service. In an employment relationship, the CAI suggests that organizations adopt measures appropriate to their own context to mitigate this problem if it is to rely on consent. |
|
Informed |
Individuals must understand what they are consenting to and what consent entails. The organization seeking consent must provide them with specific information to that effect. The CAI recommends multiple levels of disclosure.[14] |
|
Given for Specific Purposes |
The purposes of the use or communication of personal information must be defined as precisely as possible. |
|
Granular |
Consent must be requested for each intended purpose. If there are several purposes, consent must be sought separately for each one. In the case of a communication, a list of third parties or categories of third parties who will receive the information must be provided so that the individual can indicate acceptance of each. |
|
Understandable |
A request for consent must be written in simple, clear terms, both with regard to the information being collected as well as the question or statement of the individual’s acceptance or refusal. |
|
Temporary |
Consent is valid for a limited period of time—only for as long as necessary to fulfill the purpose(s) for which it was requested. The duration of the consent may be limited by a time period (for example, six months or three years) or an event (for example, as soon as a payment is completed). The CAI reminds us that the duration of the consent is different from the time limits for retaining information. As such, the consent’s validity will not necessarily expire on the same date as the time limit for destruction of the information.[15] |
|
Presented Separately |
The consent request must be separate from the terms of use, confidentiality policies and signatures. It must have its own readily accessible section or interface. |
For each validity criteria, the CAI has provided examples.[16] These examples are presented as tools but are not [translation] “to be considered as the only possible solution.” Finally, it should be noted that in the event of any ambiguity or inconsistency with the guidelines, the laws and regulations always prevail.
For more information, please refer to our Resource Centre | Law 25 or contact us.
Contact the authors
[1] Act respecting access to documents held by public bodies and the protection of personal information, CQLR, c A-2.1, s 123(9).
[2] See Guidelines Summary, at 2. Note that the guidelines do not provide an explanation regarding situations where personal information may be used or disclosed without consent.
[3] In drafting its own guidelines, the CAI noted that it relied on guidelines issued by the Office of the Privacy Commissioner of Canada and the European Data Protection Committee.
[4] CAI, « Lignes directrices 2023-1 – Consentement : critères de validité », online : https://www.cai.gouv.qc.ca/documents/CAI_LD_Criteres_validite_consentement.pdf , at 4 (the “Guidelines”) (in French only).
[5]Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (”Private Sector Act”), s 8; Act respecting Access, supra note 1, s 65.
[6] CAI, “La collecte des renseignements,” online: https://www.cai.gouv.qc.ca/entreprises/collecte-renseignements/ (in French only).
[7] See Private Sector Act, supra note 5, s 8 et seq., Act respecting Access, supra note 1, s 65 et seq.
[8] Guidelines, supra note 4 at 4-5 (Sections B.3 and B.5) and p. 12, para 2.3.
[9] Guidelines, supra note 4 at 12 (section 2.3).
[10] Guidelines, supra note 4 at 4 (Sections B.5 and B.8).
[11] See also Secrétariat à la réforme des institutions démocratiques, à l'accès à l'information et à la laïcité, "Consentement exprès : renseignements personnels sensibles", online: https://www.quebec.ca/gouvernement/travailler-gouvernement/travailler-fonction-publique/services-employes-etat/conformite/protection-des-renseignements-personnels/consentement/renseignements-personnels-sensibles
[12] Royal Bank of Canada v Trang, 2016 SCC 50, online: https://decisions.scc-csc.ca/scc-csc/scc-csc/en/item/16242/index.do?site_preference=normal&pedisable=true. Refer also to “Guidelines for obtaining meaningful consent,” published jointly by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia, online: https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/.
[13] Guidelines, supra note 4 at 11 (section 1.6).
[14] Ibid, at 15 (section 3.5).
[15] Ibid, at 20 (section 7.3).
[16] Ibid., at 23 et seq.
