Google Reference decision should confirm privacy oversight of nonprofits
In its recent ruling regarding the jurisdiction of the federal private sector privacy law, PIPEDA, over Google’s search engine operations, the Federal Court has provided clarification that should ensure continued privacy oversight of the commercial activities of charities and other not-for-profit organizations (NFPs). In doing so, the Court, hopefully, will cause the federal government to rethink its proposed revision of the definition of “commercial activity” under the Consumer Privacy Protection Act (CPPA), the intended successor to PIPEDA, a revision that could have negated the widely-accepted interpretation that the federal privacy law applies to the commercial activities of NFPs.
Such activities – which include sales of merchandise and potentially a broad range of undertakings extending to fund-raising events, arts performances and sports activities – may or may not represent the thrust of an NFP’s mission, which may be purely non-commercial in nature. However their being subject to privacy oversight has the practical effect that the organization governs itself in compliance with the law in respect of all of its operations.
Definition of Commercial Activity
For constitutional reasons, PIPEDA applies only to the collection, use or disclosure of personal information by an organization “in the course of [its] commercial activities”, and the personal information of employees of “federal works”.
The definition of commercial activity in PIPEDA reads as follows:
commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
The widely understood interpretation of this definition is that, consistent with its express wording, if a transaction or course of conduct is what would commonly be understood to be of a commercial nature – generally meaning an activity that involves an exchange of something for value – including when entered into by an NFP – it comes under the purview of the privacy law.
However in its proposed reform and replacement of PIPEDA under the now defunct Bill C-11, the government set forth an amended version of the definition, which led to concern among commentators that the law might no longer apply to such activities when carried on by NFPs.
The revised definition read as follows:
commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome.
Potentially excluding NFPs from PIPEDA’s application
The concern with the proposed revised definition was most clearly articulated by the federal Privacy Commissioner in his Submission to the Parliamentary Standing Committee on Access to Information, Privacy and Ethics (ETHI Committee) in relation to Bill C-11:
For what we understand are reasons of clarity, rather than a desire to change the scope of the activities governed by federal private-sector privacy law, the CPPA would add a contextually-dependent approach (adding the words “taking into account an organization’s objectives…”) to characterizing commercial activity. We find this very interesting, but are concerned that this change in structure from the PIPEDA definition may exclude certain activities that are commercial in nature but carried out by organizations that overall do not have commercial objectives. 
The Commissioner noted that such activities, undertaken by charities, professional associations and other not-for-profit organizations, are governed, properly in his view, by PIPEDA.
In sum, the requirement to take into account the context in which an otherwise clearly commercial activity takes place – meaning potentially the overall charitable or non-profit operations of the organization – could result in the activity being considered, for purposes of the statutory definition, non-commercial, and therefore outside the application of the law.
The government’s rationale for amending the definition
Why did the government potentially put in jeopardy an established understanding regarding the purview and impact of PIPEDA with respect to charities and other NFPs? Innovation, Science and Economic Development Canada (ISED), the federal department responsible for introducing Bill C-11, has not disclosed its reasons publicly. However it is understood that the rationale lay in the Google Reference case which the Privacy Commissioner brought before the Federal Court to confirm the application of PIPEDA relative to Google’s search engine results.
The background of the case involves an individual’s complaint to the OPC regarding the accuracy and currency of search results relating to him, and raises the broader issue of whether PIPEDA includes a “right be forgotten”. Google’s submissions in the Reference case included the argument that notwithstanding the commercial nature of its overall search engine business, involving creating profiles of users and using these profiles for targeting ads, the specific functions of collating and organizing information collected, at no cost, from content providers/publishers across the Internet, did not constitute a commercial activity.
Impact of the Federal Court’s decision
The Court disagreed, concluding that Google’s search engine activities are inextricably linked to its overall operations:
In my view, every component of that business model is a commercial activity as contemplated by PIPEDA. To have a microscopic look at the free aspect (i.e. no payment in money made) of the search for the user, or to the free aspect of the “library service” provided to news media would be, in my respectful view, a misunderstanding of Google’s business model. All these activities are intertwined, they depend on one another, and they are all necessary components of that business model.
The government, it is believed, had been concerned that the case might produce a result favourable to Google’s view – that its search engine does not constitute a commercial activity – and wanted to make clear that the law does apply, by adjusting the definition of commercial activity to in effect have a contextual override. If the context of the operations of the organization is commercial then any determination as to whether a specific, potentially non-commercial, activity must take into account that context.
So a Google search engine result would be considered a commercial activity within the context of its overall business operations. However, conversely, if the overall operations of a charity or not-for-profit organization are not commercial in nature, then even those of activities which otherwise would be considered commercial may be determined to be non-commercial, with the result that they would be outside the scope of the privacy law.
Implications of narrowing the definition
The potential implications of excluding charities and non-profits from even this limited application of the federal privacy law are significant. Such organizations collect and use the personal information of individuals in diverse ways, in many applications and in significant quantities. As with many organizations, profit or non-profit oriented, the contact information of their stakeholders – members, donors, subscribers, sports participants, and others – is critical to their operations.
Some of this information would be subject to the understood PIPEDA application; but much would not. However these organizations as a general operating rule do not differentiate – almost from the beginning of Canada’s privacy law regime under PIPEDA, charities and NFPs have adopted a privacy-compliant philosophy – likely driven, at least in part, by the recognized application of PIPEDA to certain of their activities. More broadly, this approach is embraced through the recognition that privacy compliance to the standards set forth in PIPEDA is an ethical, community-responsible dictate.
Conclusions – maintain the current, accepted scope of PIPEDA
One might characterize the impact of the existing statutory application of PIPEDA to not-for-profit organizations as “the tail wagging the dog” – the requirement to comply with respect to their commercial activities has the broader effect of embedding privacy compliance throughout all their operations. This result has been generally accepted within the non-profit sector. However if the “tail” were to be truncated or removed, the sector might be left with solely a “voluntary compliance” dictate, which some commentators have suggested would be a step backward.
The Federal Court’s Google Reference decision, notwithstanding that it might be appealed, should provide the government with sufficient confidence to acknowledge that the privacy law does not need a contextual override to the definition of commercial activity, or as a minimum, to put forward a formulation that maintains the current law’s understood application.
For more information please contact: David Young 416-968-6286 firstname.lastname@example.org Note: The foregoing does not constitute legal advice. © David Young Law 2021
© David Young Law 2021 Read the Full PDF: Google Reference decision should confirm privacy oversight of nonprofits
 Reference re Subsection 18.3(1) of the Federal Courts Act, 2021 FC 723 (CanLII) (Google Reference case).
 Outside of the traditional NFP sector, the application of PIPEDA to the commercial activities of political parties also could have the result that, in the absence of express extension of the privacy law to their activities, there would be regulatory oversight of their broader activities including internet tracking and targeting of voters.
 Federal works are those entities such as banks and transportation companies over which jurisdiction is granted specifically to the federal government under the Constitution Act, 1982. Similarly for constitutional reasons, PIPEDA does not apply to the personal information of employees of private sector, non-federal works, which is understood to be outside the scope of “commercial activity”.
 The OPC has stated its view PIPEDA that applies to indexed information as is provided within search results; see Draft Position on Online Reputation, Jan. 26, 2018. Under Bill C-11, a limited right to be forgotten, extending only to information collected directly from an individual, is expressly provided.
 Note 1, above at para. 59.
…… donors, clients and other stakeholders generally expect charities and not-for-profits to safeguard their personal information, protect it from misuse, and be transparent and accountable for how it is used. Under PIPEDA, even in situations in which they are not subject to the legislation itself, charities and not-for-profits are able to refer to the ten fair information principles that are listed in its Schedule 1 as best practices and guidelines for them to follow in handling personal information.
 Arguing that omission of the reference to the ”selling, bartering or leasing of donor, membership or other fundraising lists” in the proposed revised definition of commercial activity would be main the reason for the CPPA’s potential lack of application to NFPs, the Carters authors are unequivocal regarding the implications of this result:
Bill C-11 would have the effect of repealing Schedule 1 [of PIPEDA] and, if they are not caught by the legislation, leaving charities and not-for-profits with no guidance around appropriate privacy practices.
 The Privacy Commissioner, in his ETHI Committee Submission, has proposed the following as part of the definition for commercial activity:
any particular transaction, act or conduct that is of a commercial character, whether or not it is committed by an organization whose general objectives are of a commercial character.