On June 30, 2020, the Office of the Privacy Commissioner of Canada (OPC) released its Report of Findings on the information handling practices of the operator of RateMDs.com, a popular review website that allows users to rate health professionals for the benefit of other patients (RateMDs).1 The decision arose from a complaint filed by a dentist from British Columbia in which she sought to have her profile permanently removed from RateMDs' platform, alleging that RateMDs had failed to obtain her consent in violation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

The OPC concluded that RateMDs was not required to obtain the complainant's consent before collecting, using or disclosing her personal information, including her name, business contact information, as well as reviews and ratings. However, it found that RateMDs had failed to be sufficiently transparent regarding health professionals' right to request to have their personal information corrected or amended if inaccurate, incomplete or out-of-date. In addition, the OPC also found that RateMDs had engaged in an unreasonable practice, in contravention of section 5(3) of PIPEDA, by offering a subscription-based service that included a "pay-for-takedown" feature, which allowed health professionals to hide up to three negative comments from their profile.

While the decision provides valuable insights and guidance on the obligations and role of organizations in protecting individuals' reputation online, the decision represents an important, albeit cautious, foray into a Canadian "right to be forgotten" (RTBF) – a discussion that closely aligns with the OPC's previous statements in its Draft Position Paper on Online Reputation. In this respect, the present decision raises a number of issues for organizations seeking to implement the OPC's recommendations and illustrates the challenges that lie ahead with respect to the recognition of a full-fledged RTBF in Canada. Considering a reference that may have significant implications for the recognition of a Canadian RTBF is still pending before the Federal Court, organizations should exercise caution in managing requests to remove user-generated content pursuant PIPEDA.

Background

A dentist from British Columbia filed a complaint with the OPC, alleging that RateMDs had violated PIPEDA for having published her personal information on its website without her consent, and sought to have her profile permanently removed, including reviews and ratings – a request that RateMDs consistently refused, citing public interest.

By its own description, RateMDs' platform is "intended for patients to rate and review their treating health professionals so that other patients can make more informed decisions concerning their health care".2 To achieve this objective, RateMDs enables its users to create a health professional profile containing the latter's name, gender, speciality, primary practice and business contact information (i.e. address and business phone number).3 Once a profile is created, RateMDs allows former patients to anonymously submit their reviews and ratings about the health professional's practice and character.

To preserve the integrity of its platform, RateMDs does not amend or remove content based on an individual's sole claim that a particular review is unfair. However, it provides individuals with various tools to amend or remove content that is inappropriate, not relevant for the purposes of its platform or demonstrably inaccurate, incomplete or out-of-date. While these tools are generally free, RateMDs also offers a paid subscription service that allows health professionals to hide up to three negative reviews.

Decision

In addressing the complainant's primary argument that RateMDs failed to obtain her consent pursuant to PIPEDA, the OPC addressed two additional questions related to RateMDs' compliance with transparency and reasonableness requirements. While the complainant did not argue that the information contained on her profile was in any way inaccurate, the OPC also provided general comments on the process that organizations must put in place to allow individuals to challenge the accuracy, completeness or currency of content published on RateMDs' platform.

In order to determine whether RateMDs had an obligation to obtain the complainant's consent, the OPC had to assess whether her business contact information and other factual information contained on her profile benefited from a consent exception or an exemption under PIPEDA, namely the "business contact information exemption"4 or the "publicly available information exception".5 With respect to the former exemption, the OPC held that RateMDs did not qualify, as the exemption only applied to information that was being collected, used or disclosed "solely" for the purpose of "communicating or facilitating communication with the individual in relation to their employment, business or profession".6 Given that RateMDs' stated purpose was to help patients make an informed decision with respect to their choice of health professionals, not to "solely" facilitate communication between patients and their health professionals, the OPC concluded that the information concerned could not be exempt under PIPEDA.7

However, with respect to the "publicly available information exception", the OPC found that RateMDs did qualify and could collect, use and disclose the complainant's name, area of speciality and business contact information without her consent, as this information was found on a number of public directories and registries considered "publicly available" within the meaning of PIPEDA.8 These public directories and registries included the College of Dental Surgeons of British Columbia (CDSBC) registry , the Yellow Pages and online professional or business directories such as the website for the complainant's dentistry practice.

The OPC then turned to the issue of whether non-exempt personal information (i.e. reviews and ratings about the complainant) required the complainant's consent. Before addressing this question, the OPC determined that RateMDs is accountable for user-generated content on its platform, as it collects, uses or discloses such information for its own profit-seeking purposes. The OPC readily concluded that reviews and ratings are the "personal information" of both the user who generated them and the complainant, thereby setting the stage for a fraught debate about the necessity of obtaining both individuals' consent. It is at this stage that the OPC aptly noted that PIPEDA was "ill-suited to regulate these types of services, which pit the privacy rights of individual(s) against the rights and interests of other individuals".9 In turn, it readily acknowledged that where those rights and interests conflict, it would be "rarely possible" to obtain both parties' consent.10

To overcome this difficulty, the OPC decided to take a surprising approach. Rather than considering applying the journalistic purposes exemption in order to exempt the reviews and ratings published on RateMDs' platform from PIPEDA's scope – an arguably more palatable solution – the OPC preferred to frame the problem as an issue involving the balancing of two competing "rights". In so doing, the OPC considered the various competing interests, including the public's interest in accessing the reviews and ratings in question, and concluded that it would be inappropriate in this case to give precedence to the complainant's interests over the broader interests at play. As such, no consent was required from the complainant in this case.

Turning to the two outstanding issues, namely the issue of transparency and reasonableness, the OPC found the complaint to be well founded on both of these aspects. First, the OPC concluded that RateMDs had infringed the openness principle (Principle 4.8) as it failed to adequately inform health professionals of their right to make a request to correct or amend their personal information, where such information was inaccurate, incomplete or out-of-date. RateMDs subsequently resolved this issue by adding relevant language in its platform's terms of use and FAQs webpage.

With respect to the second aspect, the OPC took issue with one feature of RateMDs' subscription service, which allowed health professionals to hide up to three negative reviews from their public profile. In citing the Globe24h decision,11 which concerned an organization republishing Canadian court decisions with the intent to charge for their removal, a practice that the Federal Court considered unreasonable and prohibited under section 5(3) of PIPEDA, the OPC viewed RateMDs' "pay-for-takedown" service as analogous to that decision and in contravention of PIPEDA's reasonableness requirement.

Business takeaways

Although a number of issues were raised, the decision is notable in the following four respects:

  • First, the decision reaffirms that user-generated comments, reviews and ratings may be both the personal information of the user and the person whom those comments are about, and if those individuals share competing interests, organizations should weigh those interests carefully before giving precedence to one over the other. How this should be achieved in practice is unclear, as organizations may not always be in the best position to balance broader considerations and factors related to the public's interest in maintaining the availability of information concerned.
  • A second key takeaway is an organization's obligation to be open about its policies and practices relating to the management of personal information. More specifically, organizations must not only have a "fair and accessible" process in place that allows individuals to rectify their personal information, they must adequately inform individuals thereof and make it clear that they have a right to request the correction or amendment of their personal information if it is demonstrated to be "inaccurate, incomplete or out-of-date". It is not sufficient for an organization to simply state that information will be removed or amended if "inappropriate", as individuals must be informed of their privacy rights and the means available to exercise them. In practice, this is generally achieved by incorporating relevant language in a privacy policy made available to individuals concerned in an easily accessible format.
  • The decision also reaffirms that an organization's business model cannot be based, even in part, on charging individuals for the removal or amendment of their personal information, as doing so would amount to an "unreasonable" practice under section 5(3) of PIPEDA (or as the OPC puts it, a "no-go-zone"). However, it is important to note that PIPEDA allows organizations to charge individuals a modest fee in order to respond to an access or rectification request.12
  • Finally, the OPC's analysis of the "business contact information exemption" and "publicly available information exception" provides helpful guidance as to their respective scope and application, which unfortunately remains relatively circumscribed under the federal legislation. For instance, whereas the former requires information to be used "solely" for the purposes of facilitating communication between individuals, the latter exception does not, paving the way for a more flexible application of the publicly available information exception, a boon for businesses that rely on these types of information. In other words, to the extent that this exception requires publicly available information to be collected, used or disclosed for a particular purpose – generally that for which information appears in a designated registry or directory – this condition will be satisfied even though such purpose is only incidental to the organization's overall activities. In turn, given that information in this case was user-generated, the OPC also appears to suggest that organizations do not have to collect information directly from a designated publicly available source in order to qualify for the exception.

Analysis of outstanding questions

Jurisdictional issues

This decision illustrates the complex jurisdictional issues that often arise when an organization operates its commercial activities online. Indeed, organizations may find themselves subject to both provincial and federal privacy legislation concurrently – an issue that promises to become increasingly important to consider as provinces, such as Québec, seek to update their privacy laws in potentially incongruous ways. For a more detailed discussion on Québec's proposed amendments to its privacy law, see our article Proposed amendments to Québec privacy law: Impact for businesses.

It is worth highlighting that the complainant, a British Columbia resident, filed her complaint against RateMDs, a California-based company, under PIPEDA as opposed to British Columbia's private sector privacy law, the Personal Information Protection Act (PIP"). B.C. is currently one of three provinces – along with Alberta and Québec – that has enacted its own private sector privacy law deemed "substantially similar" to PIPEDA. By being deemed "substantially similar", the provincial privacy legislation applies in lieu of PIPEDA with respect to intra-provincial matters. With respect to inter-provincial or international matters, however, PIPEDA retains its jurisdiction notwithstanding the province in which the matter first arose.

In this case, the OPC retained its jurisdiction to apply PIPEDA, as RateMDs was based in the U.S. and personal information was being processed across B.C. borders. However, what about the B.C. statute? Was the complainant entitled to bring a claim against RateMDs under the B.C. PIPA as well? In this case, the answer is likely no, as section 3(2)(c) of the B.C. PIPA expressly provides for the B.C. statute's jurisdictional abdication in favour of PIPEDA in these types of situations. In contrast, however, the Alberta and Québec statutes do not provide a similar provision, and as such, the issue of concurrent jurisdiction is more likely to arise for organizations with activities in these provinces. Québec's privacy regulator recently issued a decision in which it upheld its jurisdiction to apply Québec's provincial privacy statute to a federally regulated organization partially operating in the province.13 Considering this, organizations should exercise caution in determining which privacy statute applies to their activities, especially as a number of provinces have either already proposed or are considering proposing important changes to their privacy laws. See our article Canadian privacy law reform is coming – are you ready?  for more information.

Journalistic purposes exemption

Another issue that was notably missing from the decision was whether user-generated reviews and ratings on RateMDs' platform may have qualified for the journalistic purposes exemption found under section 4(2)(c) of PIPEDA. This provision entirely exempts personal information that an organization collects, uses or discloses "exclusively" for "journalistic, artistic or literary purposes".14 Yet, the term "journalistic" is not defined under the federal legislation and courts have sparingly interpreted its meaning.

In Globe24h, the Federal Court suggested that an activity will qualify as "journalistic" where its purpose is to "(1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a 'self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation'".15 That said, Canadian courts have also warned against interpreting the term "journalistic" as encompassing any form of expression. Indeed, the Alberta Court of Appeal in United Food and Commercial Workers, Local 401 stated: "[w]hile all journalism may be a form of expression, not all expression is journalism".16

Based on the foregoing, one must ask whether RateMDs' objective – which was to help patients "make more informed decisions concerning their health care" – met the three conditions described in Globe24h in order to qualify as "journalistic", and if so, whether it was pursuing its activities "exclusively" for such purpose. While it is beyond the scope of the present bulletin to provide an exhaustive answer to these questions, it is helpful to consider a couple of decisions in which this exemption was raised to canvas potential arguments that would have been interesting to consider in the OPC's decision.

For instance, Globe24h concerned an organization whose activities consisted in republishing Canadian court decisions online in order to subsequently charge individuals named in these decisions for their removal. In concluding that the organization was not pursuing "journalistic" purposes, the court based its conclusion in part on the fact that the organization added, "no value to the publication by way of commentary, additional information or analysis".17 Similarly, Surrey Creep Catcher (Re) concerned a similar exemption under the B.C. PIPA and involved an organization whose activities consisted of luring alleged child predators into video-recorded confrontations for the purposes of subsequently posting the video online. In concluding that the organization's activities did not qualify as "journalistic", the B.C. privacy regulator argued that there was "no evidence" that the organization had made "any effort to present the complainants' points of view when posting the videos, to provide any commentary or analysis or to provide 'an accurate and fair description of facts, opinion and debate at play within a situation'".18

In contrast to these decisions, there are a couple of reasons to believe that RateMDs could have qualified for the journalistic purposes exemption. First, RateMDs' practices clearly pursued a legitimate public interest, and this was expressly acknowledged by the OPC in its analysis of consent in which it gave precedence to the public's interest over that of the complainant. Second, given that RateMDs actively curated the content that was posted on its platform to ensure its relevance, accuracy, completeness and currency, it is also arguable that, unlike in Surrey Creep Catcher (Re), RateMDs was taking a number of steps to provide, "an accurate and fair description of facts, opinion and debate at play within a situation". Thus, by distinguishing the present decision, the lack of any mention of the journalistic purposes exemption is jarring given the relative strength of these preliminary arguments. Although RateMDs would have had the challenging task of also satisfying the "exclusivity" requirement in order to qualify for the exemption, it is clear from the foregoing discussion that this was a missed opportunity to clarify the scope of an oft-forgotten provision. Whether these arguments will be addressed more fully in the OPC's 2018 referral, which is still pending before the Federal Court, is still unclear.

Challenges faced by a Canadian right to be forgotten

At its core, the OPC's decision represents an important first step towards implementing a RTBF under Canadian privacy law – a notion that originated in Europe and found its way to Canada, and most recently to Québec. While the issue of whether search engines are required to de-index information will depend in part on the outcome of the referral still pending before the Federal Court, this decision addresses the second component of the RTBF, which allows individuals to request for the removal of their personal information at source. The potential "notice-and-takedown" regime raises important issues relating to freedom of expression and the public's right to information. As the following analysis illustrates, PIPEDA is simply ill-suited to address these challenges in its current form and is a relatively crude tool to mediate individuals' constitutional rights and freedoms. For a more detailed discussion on Québec's proposed amendments to its privacy law, see our article Proposed amendments to Québec privacy law: Impact for businesses.

The OPC's decision to engage in the balancing of interests was framed as an issue involving two competing "rights" under PIPEDA for which no solution is readily provided. In engaging in this exercise, the OPC cited a number of previous decisions involving an individual seeking to obtain access to opinions about them formulated by others without their consent, placing an individual's right to access their personal information in opposition to another's right to withhold consent with respect to the disclosure of their personal information. In contrast to these decisions, the present situation did not give rise per se to two competing rights in that those users who posted reviews and ratings about the complainant did not have a free-standing "right to provide" their personal information to RateMDs, whereas the complainant had a right to withhold her consent to the publication of her personal information. While it is likely that the OPC took a broader interpretation with respect to the meaning of "right" in order to include freedom of expression and the public's right to information, PIPEDA was not meant to clearly address these types of situations, let alone require organizations to engage in these types of contextual and legal analysis. For instance, it is not readily clear how or by what standard an organization is expected to give precedence to the public's interest over that of a complainant in order to remove their information. Given that courts themselves struggle to define the meaning of "public interest", organizations gain little in terms of certainty when engaging in these types of analysis; raising fears that they will simply prefer to remove content in order to avoid the hassle of challenging privacy complaints.

These issues are compounded when we consider the OPC's suggestions with respect to handling rectification requests. Although it did not render any conclusive findings in this respect, the OPC highlighted in its decision the unfairness of the process for challenging the accuracy, completeness and currency of reviews and ratings posted by anonymous users. While it is undeniable that a person will be at a disadvantage when exercising their right to have these types of information rectified if they are unable to verify the identity of their author, it is also clear that anonymous users are also at a disadvantage. For instance, there is no requirement under PIPEDA in these types of situations to warn users that the organization received a request to amend their personal information, nor is there an opportunity for them to defend the accuracy, completeness and currency of their reviews and ratings. Even if this process existed, how could it be enforced if reviews and ratings were posted anonymously? Requiring an organization to collect or disclose the identity of its anonymous users would likely be prohibited under PIPEDA. In this sense, the process available to rectify subjective personal information under PIPEDA is unfair to both the complainant and anonymous users in these situations, further highlighting the extent to which, as the OPC aptly acknowledged, PIPEDA is "ill-suited to regulate these types of services". This is in part why Québec's privacy regulator expressly stated that the rectification right under Québec s private sector privacy law applied "only to specific and verifiable facts", that is "objective information", and as such, "comments, observations, opinions and diagnoses cannot be the subject of a request for rectification since they correspond to that [individual's] point of view as a result of their subjective observation of the relevant facts" [Our Translation].19

Considering that there are a number of alternative legal mechanisms available to protect individuals' reputation online, which are specifically adapted to address the complex and nuanced issues raised in these situations in a fair and impartial manner,20 it appears neither necessary nor desirable to create a legislative shortcut under PIPEDA to achieve this objective, no matter how laudable it may be. As demonstrated in the OPC's decision, extending PIPEDA requirements to online reviews and ratings may lead to unintended consequences and patent unfairness to both parties. For these reasons, a more adequate forum to address the various challenges faced by the implementation of a Canadian RTBF remains future legislative reforms to PIPEDA.

Conclusion

Although the OPC's decision raises a number of interesting issues about the potential scope of a RTBF under Canadian privacy law, many uncertainties remain about how organizations are expected to implement the OPC's recommendations with respect thereto in a manner that meaningfully protects individuals' competing interests. In this respect, organizations operating platforms similar to RateMDs' should exercise caution in their handling of requests to remove user-submitted content and should assess whether such content is subject to PIPEDA.

More broadly, however, organizations should ensure that they implement and maintain "fair and accessible" policies and practices for managing individuals' privacy rights, including the right to rectify their personal information if it is no longer accurate, complete or up-to-date. Specifically, organizations should also be transparent about those policies and practices, and inform individuals of their rights through comprehensive and easily accessible means, such as a privacy policy. In turn, organizations should also ensure that they do not commercialize individuals' rectification rights by charging for the removal of their personal information, as doing so will almost certainly be considered an unreasonable practice under PIPEDA.

Footnotes

1.  OPC, PIPEDA Report of Findings #2020-002, June 30, 2020 [RateMDs].

2.  RateMDs at para. 8.

3.  RateMDs at para. 10.

4.  Section 4.01, PIPEDA.

5.  Section 7(1)(d), 7(2)(c.1), 7(3)(h.1) PIPEDA; Regulations Specifying Publicly Available Information.

6.  ection 4.01, PIPEDA.

7.  RateMDs at para. 37.

8.  It is important to note that information is not considered "publicly available" under PIPEDA simply because it is "publicly accessible" online. Rather, according to the Regulations Specifying Public Available Information, personal information may qualify as publicly available in a relatively limited number of circumstances, subject to restrictions related to information type and purpose requirements.

9.  RateMDs at para. 52.

10.  RateMDs at para. 52.

11.  A.T. v. Globe24h.com, [2017] 4 FCR 310.

12.  Section 8(6), PIPEDA.

13.  D'Allaire c. Transport Robert (Québec) 1973 ltée, 2020 QCCAI 152.

14.  A.T. v. Globe24h.com, [2017] 4 FCR 310, at para. 72.

15.  A.T. v. Globe24h.com, [2017] 4 FCR 310, at para. 68.

16.  United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII) at para. 56; decision upheld in appeal see Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, [2013] 3 SCR 733.

17.  A.T. v. Globe24h.com, [2017] 4 FCR 310, at para. 70.

18.  Surrey Creep Catcher (Re), 2020 BCIPC 33 (CanLII), at para. 20.

19.  S.R. c. Côté, 2009 QCCAI 172 (CanLII), paras. 12-16. See also, D.V. c. Benhamou, 2014 QCCAI 75 (CanLII).

20.  Eloïse Gratton and Jules Polonetsky, "Privacy above All Other Fundamental Rights? Challenges with the Implementation of a Right to be Forgotten in Canada", April 28, 2016, at pages 22 and following.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.