PIPEDA - 10 Core Principles

 Feb 25, 2019 9:00 AM
by Derek Lackey

PIPEDA is broken down into 10 core principles. They reflect and evaluate how a business is required to handle personal information and to ensure that best practices are in place and used. Following is an overview of each of these principles as well as one guidance on how they relate to cloud service providers.

1. Accountability 

An organization is required to accept responsibility for any and all personal information that is under its control. This is accomplished by designating a representation who is accountable and responsible for the organization’s compliance. The business is further required to use various means, including contractual, to ensure that it remains compliant with third parties. It also has a responsibility to uphold PIPEDA by developing and implementing relevant policies and procedures.

Organizations should include contractual obligations that uphold PIPEDA including reporting procedures, security policies, non-disclosure, and limitations.


2. Identifying Purposes 

An organization is responsible for identifying and documenting their purpose for collecting personal information. They are required to notify their customers, clients, users, visitors, and guests if they intend to use the information for any purpose that was not identified at the time of collection prior to using that information.

Organizations should share the organization’s outlook on policies and procedures, particularly as it related to the purpose of collecting personal data.

Businesses should evaluate their requirements to handle personal information and to ensure that best practices are in place and used.


3. Consent 

An organization is responsible for obtaining the informed consent of individuals when it is engaged in the practice of collection of personal information or data, except where such knowledge and consent is inappropriate.

Organizations should share the organization’s policies and outlook regarding how sensitive data is handled.


4. Limiting Collection 

An organization is responsible for limiting the collection of personal information to only what is necessary for purposes identified by the organization. All collection methods should be fair and compliant with all applicable laws.

Organizations should follow the best practices for securing storing personal information on the behalf of the business.


5. Limiting Use, Disclosure, and Retention 

An organization is responsible for never using or disclosing personal information for any purpose other than that for which it was collected. They are to retain any personal information collected for only as long as is necessary to fulfill the intent or purpose of the collection.

Organizations should follow best practices for securely handling the destruction or disposal of data that is no longer needed and storage is no longer required. They should also have policies in place regarding third party disclosure.


6. Accuracy 

An organization is responsible for ensuring that all information is accurate, complete, and up to date. It should be only what is necessary or required for the purpose or intent of use.

Organizations should share the organization’s principles on the accuracy of data that is collected.


7. Safeguards 

An organization is responsible for protecting personal information by ensuring that reliable security safeguards that are appropriate for the level of the information’s sensitivity are in place.

Organizations should have policies in place for safeguarding the data that it is hosting for the organization. Organizations should have access to all security policies regarding how their cloud service provider protects the collected data from loss and theft as well as unauthorized access, copying, modification, disclosure, and use.


8. Openness 

An organization is responsible for complete transparency regarding its policies and management of collected personal information. The policies should be very detailed in explaining how it manages personal information and these policies should be readily available for both employees and clients.

Organizations should be transparent regarding their data management policies. They should be able to provide a copy of these policies to their clients upon request.


9. Individual Access 

An organization is responsible for providing, upon written request, the existence, use, and disclosure of an individual’s personal information. They must also give those individuals access to the information that has been collected and they must be given the opportunity or option to challenge the accuracy of it and have it amended appropriately.

Organizations should have policies in place that are in line with the organization’s policies regarding access to information.


10. Challenging Compliance 

An organization is responsible for providing a platform for individuals to address challenges PIPEDA compliance with the core principles. The designated individual or team that handle’s an organization’s compliance will be the point of contact for individuals who are challenging the compliance issues.

Organizations should have the appropriate policies and procedures to ensure that there are no complaints filed or received regarding the way that an organization’s data is handled.


Guiding principles for a more transparent consent process in Canada

 Feb 25, 2019 9:00 AM
by Derek Lackey

The Privacy Commissioners of Canada, Alberta and British Columbia have jointly issued guidelines to help organizations obtain meaningful consent from individuals for the collection, use and disclosure of their personal information. The previously written Guidelines came into effect in January 2019 and are now applied by the Commissioners when evaluating organizational conduct.

The Guidelines set out seven guiding principles for meaningful consent:

1. Emphasize key elements

The Guidelines state that organizations must identify for individuals what personal information is being, or may be, collected about them and for what purposes. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to. Disclosure to third parties must also be clearly explained.

Further, individuals must be able to understand the consequences of the collection, use or disclosure to which they are consenting. Meaningful risks must be identified, which means a risk that falls below the balance of probabilities but is more than a minimal or mere possibility should be identified by the organization.


2. Allow individuals to control the level of detail they get and when

The Guidelines state that information must be provided to individuals in manageable and easily accessible ways, potentially including layers. This is because one person may be comfortable with a quick review of summary information, but others may need a “deeper dive.”

The Guidelines go on to state that the information should remain available to individuals as they engage with the organization, because consent choices are not made just once. At any time, individuals should be able to reconsider whether they wish to maintain or withdraw their consent. Full information should be available to them as they make those decisions.


3. Provide individuals with clear options to say "yes" or "no"

The Guidelines emphasize that individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. They must be given a choice about unnecessary collections, uses and disclosures. Previous Commissioner decisions indicate that the term “necessary” does not mean absolutely necessary (i.e. in the sense that it is literally not possible to provide the product/service without collecting, using or disclosing the personal information). Rather, the term “necessary” essentially means “reasonably necessary,” taking all relevant and legitimate factors into account.

For a collection, use or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purposes.


4. Be innovative and creative

The Guidelines say that organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.

While innovation and creativity are clearly worthy goals, it seems unlikely that the Commissioners would chastise an organization or find the organization to be in breach of the consent requirements in their respective legislation simply because the consent was not obtained in an innovative or creative manner. Accordingly, we suggest that organizations see this portion of the Guidelines as an encouragement or “challenge,” but not a strict legal requirement (indeed, the Guidelines note that some statements are intended to communicate “best practices”).

That said, the Guidelines make the fair point that mobile devices present an amplified communication challenge: individuals’ time and attention are at a premium and the medium does not lend itself to lengthy explanations. Accordingly, organizations need to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention in order to obtain informed and meaningful consent from individuals.


5. Consider the consumer’s perspective

The Guidelines point out that consent is only valid where the individual can understand that to which they are consenting. Accordingly, an organization’s consent processes must take into account the consumer’s perspective to ensure that the processes are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience. In order to do this effectively, the Guidelines suggest that organizations consider:

  • consulting with users and seeking their input when designing a consent process;
  • pilot testing or using focus groups to ensure individuals understand what they are consenting to;
  • involving user interaction/user experience designers in the development of the consent process;
  • consulting with privacy experts and/or regulators when designing a consent process; and/or
  • following an established "best practice" standard or other guideline in developing a consent process.


6. Make consent a dynamic and ongoing process

The Guidelines emphasize that informed consent is an ongoing process that evolves as circumstances change. Organizations should not rely on a static moment in time but, rather, treat consent as a dynamic and interactive process. Thus, ensuring the effectiveness of individual consent does not end with the posting of a privacy policy or notice.

For example, when an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. The Commissioners recommend that organizations consider periodically reminding individuals about their privacy options and inviting them to review these options.


7. Be accountable – stand ready to demonstrate compliance

The Guidelines state that in order for an organization to demonstrate that it has obtained valid consent, it must be able to do more than point to a line buried in a privacy policy. Instead, organizations should be able to demonstrate – either in the case of a complaint from an individual or a practice query from a privacy regulator – that they have a process in place to obtain consent from individuals and that such process is compliant with the consent obligations set out in the applicable legislation.


Other considerations

In addition to the seven guiding principles described above, the Guidelines ask organizations to keep in mind the following:

Organizations need to consider the most appropriate form for consent – in other words, organizations must ask themselves: “Should the consent in this particular situation be express or implied?” While express consent is generally required, there are certain circumstances under which implied consent may be adequate.

The purposes for which an organization collects and uses personal information must be appropriate and defined. Consent is not everything.

Individuals have the right to withdraw consent, subject to legal or contractual restrictions. A withdrawal of consent may mean that data held by an organization about an individual should be deleted, depending on the circumstances.

Organizations must obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves. (The federal commissioner takes the position that, in all but exceptional circumstances, this means anyone under the age of 13).


How will personal data continue to flow after Brexit?

 Feb 7, 2019 1:00 PM
by Derek Lackey

Elizabeth Denham's latest blog busts the myths for UK small and medium sized businesses transferring personal data to and from the EEA

Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations. The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.

At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer term solution can be put in place. 

However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.

With less than two months to go until the UK leaves the EU, we recognise that businesses and organisations are concerned. My latest myth busting blog challenges some of the misconceptions about what a ‘no deal’ Brexit will mean for UK companies transferring personal data to and from the EEA.

Myth #1: Brexit will stop me from transferring personal information from the UK to the EU altogether.


In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.

The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.

All businesses operating in the EEA should consider whether they need to take action now. Read our guidance pages to establish whether you need to prepare for data transfers in the event of ‘no deal’.


Myth #2: I have regular customers from Europe who come to my family’s hotel every year – I’ll need a special agreement set up to deal with their personal details.


When a customer passes their own personal data to a company in the EEA, it is not considered to be a data transfer and can continue without additional measures.

However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures. If you are unsure please check the ICO’s guidance pages where we have a range of tools and advice to help.


Myth #3: Brexit will only affect data transfers of UK companies actually exporting goods or services to the EU.


Personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’.

It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists. Our guidance – Leaving the EU – six steps to take will help.


Myth #4: My business will be fine because there will be a European Commission adequacy decision on exit day on 29 March 2019 to ensure the uninterrupted exchanges of personal data between the UK and the EU.


‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.  

Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.


Myth #5: Our parent company in Europe keeps all our personal data records centrally so I don’t need to worry about sorting any new agreements.


Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.

There are many mechanisms companies can use to legitimise the transfer of personal  data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU - six steps to take guidance for more information.

You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.

It is in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit. The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance.


ICO Blog



Bundeskartellamt prohibits Facebook from combining user data from different sources

 Feb 7, 2019 10:00 AM
by Derek Lackey

Date of issue: 07.02.2019

The Bundeskartellamt has imposed on Facebook far-reaching restrictions in the processing of user data.

According to Facebook's terms and conditions users have so far only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. All data collected on the Facebook website, by Facebook-owned services such as e.g. WhatsApp and Instagram and on third party websites can be combined and assigned to the Facebook user account.

The authority’s decision covers different data sources:

(i)     Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.

(ii)    Collecting data from third party websites and assigning them to a Facebook user account will also only be possible if users give their voluntary consent.

If consent is not given for data from Facebook-owned services and third party websites, Facebook will have to substantially restrict its collection and combining of data. Facebook is to develop proposals for solutions to this effect.

Andreas Mundt, President of the Bundeskartellamt: “With regard to Facebook’s future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data. In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power. In future, consumers can prevent Facebook from unrestrictedly collecting and using their data. The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users. Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way. If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources.”

Facebook is the dominant company in the market for social networks

In December 2018, Facebook had 1.52 billion daily active users and 2.32 billion monthly active users. The company has a dominant position in the German market for social networks. With 23 million daily active users and 32 million monthly active users Facebook has a market share of more than 95% (daily active users) and more than 80% (monthly active users). Its competitor Google+ recently announced it was going to shut down its social network by April 2019. Services like Snapchat, YouTube or Twitter, but also professional networks like LinkedIn and Xing only offer parts of the services of a social network and are thus not to be included in the relevant market. However, even if these services were included in the relevant market, the Facebook group with its subsidiaries Instagram and WhatsApp would still achieve very high market shares that would very likely be indicative of a monopolisation process.

Andreas Mundt: As a dominant company Facebook is subject to special obligations under competition law. In the operation of its business model the company must take into account that Facebook users practically cannot switch to other social networks. In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.”

Abuse of market power based on the extent of collecting, using and merging data in a user account

The extent to which Facebook collects, merges and uses data in user accounts constitutes an abuse of a dominant position.

The Bundeskartellamt’s decision is not about how the processing of data generated by using Facebook’s own website is to be assessed under competition law. As these data are allocated to a specific service users know that they will be collected and used to a certain extent. This is an essential component of a social network and its data-based business model.

However, this is what many users are not aware of: Among other conditions, private use of the network is subject to Facebook being able to collect an almost unlimited amount of any type of user data from third party sources, allocate these to the users’ Facebook accounts and use them for numerous data processing processes. Third-party sources are Facebook-owned services such as Instagram or WhatsApp, but also third party websites which include interfaces such as the “Like” or “Share” buttons. Where such visible interfaces are embedded in websites and apps, the data flow to Facebook will already start when these are called up or installed. It is not even necessary, e.g., to scroll over or click on a “Like” button. Calling up a website with an embedded “Like” button will start the data flow. Millions of such interfaces can be encountered on German websites and on apps.

Even if no Facebook symbol is visible to users of a website, user data will flow from many websites to Facebook. This happens, for example, if the website operator uses the “Facebook Analytics” service in the background in order to carry out user analyses.

Andreas Mundt: By combining data from its own website, company-owned services and the analysis of third party websites, Facebook obtains very detailed profiles of its users and knows what they are doing online.”

European data protection provisions as a standard for examining exploitative abuse

Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users. The Bundeskartellamt closely cooperated with leading data protection authorities in clarifying the data protection issues involved.

In the authority’s assessment, Facebook’s conduct represents above all a so-called exploitative abuse. Dominant companies may not use exploitative practices to the detriment of the opposite side of the market, i.e. in this case the consumers who use Facebook. This applies above all if the exploitative practice also impedes competitors that are not able to amass such a treasure trove of data. This approach based on competition law is not a new one, but corresponds to the case-law of the Federal Court of Justice under which not only excessive prices, but also inappropriate contractual terms and conditions constitute exploitative abuse (so-called exploitative business terms).

Andreas Mundt: “Today data are a decisive factor in competition. In the case of Facebook they are the essential factor for establishing the company’s dominant position. On the one hand there is a service provided to users free of charge. On the other hand, the attractiveness and value of the advertising spaces increase with the amount and detail of user data. It is therefore precisely in the area of data collection and data use where Facebook, as a dominant company, must comply with the rules and laws applicable in Germany and Europe.”

The Bundeskartellamt’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court.

Further information on the proceeding can be found in a background paper.

Press release (pdf)