Using consent as a legal basis

One of the more significant operational difference rests with how PIPEDA and GDPR approach consent as a legal basis for data processing.

Concerning PIPEDA, consent is a major feature of this act. With limited exceptions, an individual’s consent is necessary to the collection of, use and to the disclosure of any personal information. PIPEDA was amended in 2015 to include section 6.1, which states that an individual’s consent is only valid if it reasonably was expected and understood concerning the nature, purpose and consequences of the data information being requested.

As an organization, you would still have the operational choice of whether to seek express or implied consent, but it is understood that express consent remains the default choice. Identifying the appropriate form of consent depends on what is considered sensitive regarding the personal information and any reasonable expectations of the individual (ref. PIPEDA, Schedule 1, cl. 4.3.5). As a requirement of providing an individual with a product or service, an individual cannot be required to consent to the collection of and use of information than what is necessary for the purpose of completing the transaction with the individual.

If we examine GDPR, consent is also a valid foundation for the collection of, use and for disclosure of personal information (Article 6).GDPR may be more flexible than PIPEDA in some ways as it allows organizations to collect, use and disclose personal data based on other factors, such as performance of a contract or legitimate interests. Unlike Canada, where consent is the sole factor for collection, use and disclosure (remember with limited exceptions), organizations looking to create compliance programs for GDPR, most likely will look for other factors to process EU data. To that point, the requirements for consent are so demanding that organizations use this sparingly as a factor for data processing. Primarily, it is because there is no concept of implied consent as consent must be by an affirmative act by the individual. Secondly, you cannot bundle consent into a contract. It must be given each time for each use of the personal information. Thirdly, it must be freely given. GDPR states that consent will not be justified for processing if there is a clear imbalance of power. Similar to PIPEDA, consent is not freely given when an organization makes the collection of personal information more than what is necessary.

Those organizations or businesses subject to GDPR should also consider whether the individual providing consent actually has the capacity to do so. In a difference to GDPR, PIPEDA does not contain a minimum age of consent. With PIPEDA, age is a relevant factor in considering whether informed consent was obtained. The Privacy Commissioner of Canada has put forth that the consent of children under 13 yrs of age would be too difficult to obtain; however, there is not strict threshold for age. In contrast, GDPR sets a threshold of sixteen years of age for consent. Individual countries though can lower the age of consent to between 13 and 16.

Employee data information

Human Resource Information Systems (HRIS) have gained massive popularity over the past 15 years as an excellent solution in managing employee data. Most recently, these systems have increasingly been deployed as a cloud-based solution, allowing multinational organizations to take advantage of efficiencies by using a common platform to manage the process of employees to include onboarding, payroll, benefits, accounting functions and employee activity related to disabilities etc.

Information that is handled in HRIS platforms is very difficult operationally for multinational corporations under GDPR. For those Canadian organizations, it is vital to recognize that PIPEDA will only regulate the collection, use of and disclosure of personal information with respect to federal works, undertakings and businesses. Think of these employers as airlines, banks, shipping companies and other federally regulated employers. This obviously covers a very limited subset of the Canadian economy. By contrast, the vast majority of employers are regulated by provincial legislation. Except for British Columbia, Alberta, and Quebec, all other provinces are not subject to statutory privacy laws for employee data.

Employee data with GDPR, on the other hand, is firmly within its scope. Article 81 permits EU member countries to enact laws expressly to address employee data, which may be stricter than what GDPR covers. Important to note is that consent is generally not a viable foundation on which to collect and use any personal information of employees because this form of consent is not considered given freely, considering the significant power imbalance between employee and employer. Granted, employers may have legitimate interests to process data, such as payroll, or tax purposes, but parent companies or affiliates need to be careful. If these companies are using this data for business planning or other purposes may need to review if they have legal grounds under the GDPR to use the data without consent.

Additionally, if the data to be processed is being transferred to a Canadian federal work, undertaking or business, the data transfer will no longer be subject to Canada’s partial adequacy designation by the EU Commission. Given this status, it would be necessary to put into place standard contract clauses or binding corporate rules.