While consent remains at the heart of the proposed Consumer Privacy Protection Act (“CPPA”) introduced in Bill C-27, which seeks to reform the Personal Information Protection and Electronic Documents Act (PIPEDA), the CPPA provides with a new exception to the requirement for consent: “legitimate interest”. This new exception is reminiscent of the legal basis of the same name found in the General Data Protection Regulation(“GDPR”) in Europe since its entry into force in 2018. Through a brief overview of the concept in Europe, in which it has been evolving for several years, we will attempt to shed light on the anticipated ins and outs of this proposed exception to the requirement for consent in Canada.
1. In Canada: Legitimate Interest as an Exception to the Requirement for Consent
The federal government’s proposed CPPA, reaffirms consent as the basis for the collection, use and disclosure of personal information under federal private sector privacy law, while also providing for two new broader-based exceptions to consent in addition to the long list of narrower exceptions to this general rule (which are largely also present in PIPEDA). 
One of the two new broader exceptions to consent is an exception where a legitimate interest would outweigh any potential adverse effect on the individual resulting from the collection or use of their personal information,  provided that:
a. the individual would expect the collection or use; and
b. it is not for the purposes of influencing the behaviours or decisions of such individual (e.g. for behavioural marketing purposes). 
The use of the legitimate interest exception is however subject to the completion of a prior assessment where the organization must:
1. identify any potential adverse effect on the individual that is likely to result from the collection or use for such activity;
2. identify and document how it takes reasonable measures to reduce the likelihood that the effects will occur or to mitigate or eliminate them; and
3. documents how it complies with any prescribed requirements. 
An organization must keep records with respect to the foregoing and must, on request, provide a copy of the assessment to the Privacy Commissioner of Canada.  In its policies and practices, the organization must also make readily available information on how it uses the personal information and of how it applies the exceptions to the requirement to obtain an individual’s consent, including a description of any activities in which it has a “legitimate interest”. 
Thus, the “legitimate interest” proposed in Bill C-27 is an alternative to consent that, in case where it is permitted, requires careful advanced documentation, as well as transparent disclosure of its use in the organization's policies. As a result, the best and most convenient practice would remain to obtain consent for the collection, use and disclosure of personal information where possible.
2. Parallel with the Legitimate Interest Legal Basis Under the GDPR
Under the GDPR, and contrary to Canadian privacy laws which are firmly consent-based, several legal bases exist for the processing of personal information as set out in article 6 of the GDPR:
6(1). Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. […]
If the legitimate interest legal basis is the last one on the list provided by article 6, it does not mean that it is less important than the others or that it is an exception to a general rule. On the contrary, it is one of the possible bases for the processing, like consent. There is no hierarchy between the legitimate interest and consent under the GDPR. 
Indeed, according to the European Data Protection Board (“EDPB”):
[…] no specific hierarchy is made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation. 
In order to rely on the legitimate interest legal basis, the controller must first perform a three-step test to recognize that:
1. the pursuit of the interest by the controller or by the third party or parties to whom the personal information is disclosed is “legitimate” (purpose test);
2. the processing of personal information is necessary for the achievement of the legitimate interest pursued (necessity test); and
3. the controller’s legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (balancing test)
This test, generally referred to as the Legitimate Interest Assessment (“LIA”), is not expressly mentioned in Article 6 of the GDPR. That being said, organizations in Europe can rely on the guidance and templates provided by the United Kingdom (UK) Information Commissioner’s Office (“ICO”) to conduct their LIA in Europe, which details the LIA as reproduced above. 
Contrary to the CPPA, which refers to “potential adverse effect”, the GDPR refers to “the interests or fundamental rights and freedoms of the data subject”. Pursuant to the GDPR, in order to assess whether the legitimate interest is overridden by the fundamental rights and freedoms of the individuals (balancing test), the controller shall take into account the reasonable expectations of data subjects (individuals) based on their relationship with the controller. Indeed, according to recital 47 of the GDPR:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. […].
As mentioned, the assessment above must be documented.  The organization must also take appropriate measures to provide information regarding the reliance on a legitimate interest to individuals. 
In short, the Canadian and European tests both include a balancing test of the legitimate interest of the organization against the interests or fundamental rights and freedoms of the data subject in Europe or potential adverse effects on the individual in Canada. To date, the question arises as how to interpret “potential adverse effect”, since this expression seems to be broad, but we do not expect that it would be more permissive than the GDPR. The criteria used in Europe could serve as inspiration in Canada if the text of Bill C-27 was adopted as is, pending Canadian documentation similar to that provided by the ICO which would certainly be welcomed by the industry.
The introduction of the notion of “legitimate interest” in Canada is a breath of fresh air in the world of privacy, which has long called for uniformity of the legal concepts and rules in the context of frequent inter-jurisdictional transfers of personal information. In the absence of more guidance on the concept of legitimate interest introduced in Bill C-27, the criteria and documentation used on the other side of the Atlantic could be useful to organizations that would be subject to the proposed CPPA in Canada.
However, in order to avoid organizations taking refuge in this exception as soon as consent is difficult to obtain, the Canadian government will have to ensure that it provides tools and procedures to crystalize the concept, its assessment and application criteria that go beyond the threshold set out in the CPPA, similar to the initiatives of the ICO in the UK. In this way, it can avoid repeating the confusion that has arisen surrounding legitimate interest in Europe.