Following the Office of the Privacy Commissioner of Canada's (OPC) consultation on transborder data flows, the OPC concluded that its position on transborder data flows, outlined in the OPC's 2009 "Guidelines for processing personal data across borders" (guidelines), will remain unchanged under the current law.

What you need to know

  • OPC pivots away from its Equifax decision position, concluding that a transfer of personal information to an affiliate or third party for processing purposes is a "use" of the information—not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
  • OPC reminded organizations that they must be transparent about personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
  • While the OPC has maintained the guidelines' position on transfers for processing, the OPC's Equifax decision highlights the need for organizations to be able to demonstrate accountability when transferring personal information for processing to affiliates and third parties. Accordingly, organizations should ensure that they use contractual or other means to provide a comparable level of protection while the information is being processed by an affiliate or third party.

OPC's transborder consultation

Consultation background

OPC launched its transborder data flows consultation in April 2019 following its Equifax decision. In Equifax, the OPC departed from its guidelines, finding that the transfer of personal information between affiliated organizations or to a third party for processing should be considered a "disclosure" rather than "use" of information and that, consequently, such "disclosures" require meaningful consent. More background information on OPC's consultation transborder data flows process is available here and here.

OPC's findings

The OPC received 87 submissions from a variety of stakeholders, including industry representatives, many of whom raised concerns with respect to the position that consent may be required for transfers for processing. The OPC also stated that a vast majority of the submissions also took the view there was no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

The OPC noted that more than one interpretation of PIPEDA was possible. It also followed the Federal Court of Appeal's ruling that interpreting PIPEDA requires flexibility, common sense and pragmatism due to PIPEDA's "non-legal drafting" and the fact that the PIPEDA "is a compromise both as to substance and to form".

In light of the submissions and the fact that OPC's proposed Equifax position is unlikely to be applied in practice until years in the future (likely well after the Digital Charter proposed PIPEDA amendments come into force), the OPC determined that it will maintain the status quo until the law is changed. The OPC will now focus its efforts on how a reformed law can best protect Canadians' privacy rights when their information is transferred between organizations.

Accordingly, organizations do not have to obtain additional consent when transferring data to affiliates or third-party vendors for processing purposes. Rather, organizations are only required to continue to adhere to the guidelines for processing personal data across borders. Additionally, the OPC continues to expect organizations to apply its "Guideline for obtaining meaningful consent" to allow individuals to make informed decisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.