Insights Header image
Insights Header image
Insights Header image

Exploring the No-Go Zones: Overview of the Guidance Issued by the Canadian Privacy Regulator Relating to Inappropriate Purposes

December 17, 2024 Privacy & Data Protection Bulletin 7 minute read

The protection of personal information is a cornerstone of privacy rights in Canada. Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), organizations must observe the “appropriate purpose” test when collecting, using, or disclosing personal information. The Office of the Privacy Commissioner of Canada (“OPC”) has identified several “No-Go Zones”[1] referring to practices that a reasonable person would consider inappropriate in the circumstances.

This bulletin explores the No-Go Zones identified by the OPC and explores emerging No-Go Zones involving generative artificial intelligence systems (“Generative AI”).

1.     What Is a No-Go Zone?

Under section 5(3) of PIPEDA, organizations may only collect, use and disclose personal information for purposes that a “reasonable person” would consider appropriate in the circumstances.  The reasonable person test is assessed objectively based on the context rather than subjectively based on an individual’s experience.[2] That is why obtaining consent from individuals does not absolve an organization from its obligation to use personal information for appropriate purposes.

The appropriate purpose standard acts as a backstop to ensure that an organization’s privacy practices remain within the bounds of societal expectations. When interpreting subsection 5(3), organizations must strive to find a balance between an individual’s right to privacy and an organization’s legitimate business needs. This “balancing of interests” exercise is crucial to determining what purposes may be appropriate (or not) under PIPEDA.

In guidance issued by the OPC relating to the interpretation of subsection 5(3) of PIPEDA, the OPC makes reference to certain No-Go Zones representing practices that are inappropriate from the perspective of a “reasonable person.”[3]

By categorizing certain practices as falling within No-Go Zones, the OPC sends a clear message to organizations that such practices will not be acceptable under Canadian privacy laws, even if they are conducted in a minimally intrusive manner or consent has been obtained for the practice.

Here is an overview of six No-Go Zones established by the OPC:

2.     No-Go Zones Under PIPEDA

a.     Purposes that Violate Canadian Laws
The first No-Go Zone relates to the collection, use, or disclosure of personal information for purposes that contravene Canadian laws, statutes, or regulations. Organizations are expected to be aware of and comply with all applicable Canadian laws governing their activities. Practices that breach Canadian laws will evidently fail the “appropriate purpose” test and be considered unlawful under PIPEDA.

Such activities may include, but are not limited to, those that are explicitly illegal, such as fraud or identity theft, or practices that violate specific legislation related to privacy, such as consumer reporting laws or anti-discrimination statutes.

b.     Inappropriate Profiling or Categorization
The second No-Go Zone is the collection, use, or disclosure of personal information for the purpose of profiling or categorization that can lead to violations of human rights laws. Profiling and categorization have become increasingly prevalent in today’s data-driven world. While profiling can provide valuable insights for tailoring services or improving organizational decision-making, its misuse can lead to unlawful practices.

Profiling or categorization that leads to discrimination based on prohibited grounds, such as race, gender, age, religion, or disability, among others, will violate human rights law and will be inherently inappropriate under PIPEDA. Even when profiling does not violate human rights law, organizations must exercise caution as their purpose may be inappropriate due to the unfair or unethical results profiling and categorization may produce.

c.     Purposes Known or Likely to Cause Significant Harm to Individuals
The third No-Go Zone established by the OPC relates to purposes that are known or likely to cause significant harm to individuals. When an organization’s purpose has the potential to cause harm to individuals, a reasonable person would consider such purpose to be inappropriate.

“Significant harm”[4] refers to a range of negative outcomes that can have lasting and serious impacts on individuals, including:

  • bodily harm, such as physical injuries resulting from privacy breaches, or stalking enabled by leaked location data,
  • humiliation, damage to reputation or relationships, such as the public exposure of sensitive personal information, private photos or medical records that can tarnish an individual’s image or strain personal connections,
  • loss of employment, business, or professional opportunities, such as the dissemination of inaccurate or harmful information that influences hiring decisions or an individual’s career prospects,
  • financial loss or identity theft, such as the unauthorized use of personal information to access bank accounts, commit fraud, or make fraudulent purchases,
  • negative effects on the credit record, such as the improper use of credit data leading to denial of loans or other financial services, and
  • damage to or loss of property, such as the exploitation of personal information to commit theft or vandalism.

The OPC considers that a reasonable person would likely reject purposes that impose disproportionate risks or harms on individuals compared to the benefits offered by the products or services purchased from an organization. While consumers often trade some degree of privacy for convenience, organizations must ensure that they do not subject individuals to a high risk of significant harm.

d.     Unauthorized Publication of Sensitive Personal Information
The fourth No-Go Zone is the unauthorized publication of personal information online or otherwise relating to the individual for the main purpose of charging such individuals a fee to have the information removed. The OPC takes the position that profiting from an individual’s distress or fear of reputational harm is clearly offside of Canadian privacy laws.

The Federal Court of Canada confirmed the OPC’s position in a case involving an organization that republished publicly available court records and charged individuals for their removal.[5] While the records were public to begin with, the organization amplified their accessibility and required individuals to pay a fee for the takedown of the records. This was held to be inappropriate under PIPEDA.

e.     Seeking Social Media Passwords for Employee Screening
The fifth No-Go Zone relates to the practice of requiring social media passwords as part of employee relationship management or job applicant screening process. Employers often conduct background checks to assess a candidate’s qualifications, suitability, and character. While these checks may include a review of publicly available information, requiring access to private, password-protected areas of a social media account crosses ethical and legal boundaries.

The employment relationship is inherently imbalanced, with employers having greater bargaining power. When employers request private social media access, applicants and employees may feel compelled to comply out of fear of losing a job opportunity or their current position. Ultimately, the OPC indicates that the practice of seeking social media passwords is highly invasive and inappropriate under PIPEDA.

f.     Surveillance Through an Individual’s Device
The sixth No-Go Zone relates to the surveillance through the audio or video functionality of an individual’s device, whether covert or overt. The OPC considers this practice to represents one of the most intrusive violations of personal privacy.

Device surveillance typically refers to the unauthorized or excessive use of a device’s built-in features, such as listening to conversations through a device’s microphone, activating the camera to capture images or videos, or tracking the device’s screen activity, such as browsing history or app usage.

The rise of Internet of Things (IoT) devices has introduced new challenges in this area. Devices such as smart speakers, connected cameras, and wearable technology are increasingly integrated into everyday life. These devices often come with features that can be exploited for surveillance, blurring the line between legitimate functionality and privacy intrusion.

The OPC has found that spyware applications allowing a rent-to-own company to track missing laptops by collecting keystrokes, screenshots, webcam photographs, and other information violated privacy laws.[6] In essence, this type of surveillance was held to be vastly disproportionate to the intended business objective of recovering missing laptops.

3.     Emerging No-Go Zones in Generative AI

Generative AI represents a transformative technology with great potential to enhance creativity, productivity, and innovation. However, its misuse can pose important privacy risks. In the Principles for responsible, trustworthy and privacy-protective generative AI technologies (“GenAI Principles”), co-published by all of Canada’s privacy regulators, the regulators identified several potential emerging No-Go Zones involving the use of Generative AI.[7] These are the potential emerging No-Go Zones identified in the GenAI Principles:

a.     Creation of Malicious Content
Generative AI can be misused to produce malicious or harmful content that infringes on privacy and undermines trust in digital interactions. For example:

  • Generative AI is used to generate videos or images that manipulate the real likeness of an individual for malicious purposes (“deepfakes”), such as spreading false information about an individual, impersonating the individual, or creating and disseminating intimate images without the individual’s consent.
  • Generative AI is used to forge biometric information, such as facial features or voice patterns, to gain unauthorized access to secure systems or bypass authentication systems.

b.     Manipulative Conversational Bots
Chatbots powered by Generative AI can convincingly simulate human conversations, which makes them valuable tools for customer service operations and client engagement. However, when misused, they can become instruments of manipulation. For instance, chatbots designed to influence individuals into revealing personal or sensitive information under the guise of a legitimate interaction, to mislead individuals about the purpose of the interaction, or to push an individual to make a decision they would not otherwise make, could constitute a violation of privacy laws.

c.     False or Defamatory Content
Generative AI can also be weaponized to produce false or defamatory content about individuals. For example, Generative AI could be used to generate text or audio content attributed to an individual that damages their reputation or produce content that portrays an individual in a false light, leading to public humiliation or personal distress.

4.     Takeaways

As the digital landscape continues to evolve, the OPC’s identification of various inappropriate purposes for collecting, using, and processing personal information serves as a crucial tool for organizations dealing with the complexities of the privacy law landscape in Canada. By steering clear of the identified inappropriate purposes or “No-Go Zones”, organizations can demonstrate their commitment to respecting individuals’ privacy, fostering trust, and safeguarding their reputation in a data-driven world.

Organizations should remain vigilant, adaptable, and principled in their approach, ensuring that their practices meet not only the letter of the law but also the expectations of a reasonable and informed society. Beyond compliance, organizations have a shared social responsibility to uphold the integrity of the digital economy and protect the fundamental rights of all Canadians.

[1] OPC, Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (May 2018). [No-Go Zone Guidance]
[2] Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140, at paras 60-63.
[3] No-Go Zone Guidance.
[4] PIPEDA, Section 10.1(7).
[5] OPC, PIPEDA Report of Findings #2015-002.
[6] OPC, PIPEDA Report of Findings # 2013-016.
[7] OPC, Principles for responsible, trustworthy and privacy-protective generative AI technologies (December 2023).

by Amir Kashdaran and Robbie Grant

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Reminder: New Lower Criminal Interest Rate Now in Effect

As of January 1, 2025, the criminal interest rate was reduced to a cap of 35% annual percentage rate (APR).

Read More
Jan 14, 2025
Featured Insight

Alberta Rate Filing Requirements for Motor Vehicle Protection Products

Overview of the Alberta Insurance Rate Board's bulletin outlining rate filing requirements for automobile insurance on vehicle protection products in Alberta.

Read More
Jan 14, 2025
Featured Insight

Alberta’s Captive Insurers Gain Reinsurance Flexibility for Third-Party Risks

Overview of Alberta's updated rules for captive insurance companies.

Read More
Jan 14, 2025
Featured Insight

CSSB Releases Final Canadian Sustainability Disclosure Standards: Mandatory Disclosure Rules are on the Horizon

The CSSB has released the final Canadian Sustainability Disclosure Standards, with sustainability-related disclosure and climate-specific requirements.

Read More
Jan 14, 2025