Update: The OPC has announced its intention to suspend the consultation on transborder dataflows. Privacy Commissioner of Canada Daniel Therrien made the announcement on Thursday, May 23, 2019 at the IAPP Canada Privacy Symposium.

On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) initiated a consultation on transborder dataflows under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (the “Consultation”). The Consultation comes 10 years after the OPC published its original “Guidelines for Processing Personal Data Across Borders” (the “2009 Guidelines”) and shows a significant shift from its earlier position, with the OPC revising its policy positions on several key matters.

Background

International data transfers are a topic that is front of mind for many organizations, particularly given the increased use of external, cloud-based data processing and storage in recent years.  In many cases, large, third-party service providers store data on behalf of their clients on servers located in different parts of the world, and will not commit to retaining data in the location of origin.

However, the implications of the Consultation are not limited to transborder dataflows.  Rather, the OPC appears to be considering reversing its prior policy on all transfers of personal information to service providers for processing. If the OPC maintains its position, this change will have significant implications for virtually every organization that is subject to PIPEDA.

Highlights

Key points from the Consultation include:

  • Consent is mandatory – Any transfer for processing, including cross border transfers, requires consent (unless a specific PIPEDA exemption applies).
  • Alternative options must be communicated – Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed outside Canada.
  • Accountability remains with the transferor – When disclosing personal information to a third party for processing, organizations continue to retain control of the information.

Implications for Organization

The OPC’s position on accountability is not necessarily new. Both the 2009 Guidelines and the OPC’s past investigative findings indicate that organizations engaging service providers are required to: (i) be accountable for personal information in the possession of service providers, and implement contractual or other measures to provide a comparable level of protection; (ii) be transparent about personal information handling practices, including advising individuals that their personal information may be accessed by the courts, law enforcement and national security authorities in another jurisdiction; and (iii) assess the risks to security and confidentiality of personal information before proceeding with cross-border transfers, which may include consideration of the legal requirements of the host country, political, economic and social conditions in the host country, and any other relevant risk factors.

However, the positions taken by the OPC in the Consultation on consent and alternative options represent potentially significant changes to the practical approach it has taken to outsourcing in the past.

In the 2009 Guidelines, the OPC distinguished between “disclosures” of personal information, whereby a third party will use the information for its own purposes, and “transfers” to a service provider that can only use the information for the purposes that it was originally collected.  A transfer for processing was considered to be a “use” of personal information, which did not require additional consent.

In contrast, in the Consultation, the OPC indicates that: “Individuals must be given the opportunity to exercise their legal right to consent to disclosures across borders, regardless of whether these are transfers for processing or other types of disclosures” (emphasis added).

In addition, previously, the OPC generally took the position that organizations were free to use foreign service providers (assuming they were accountable and transparent), and did not have to offer alternative options to individuals. For example, in PIPEDA Case Summary #2005-313, the OPC explicitly stated that “…companies are not required to provide customers with the choice of opting-out where the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected.”

However, the Consultation suggests that the OPC now intends to scrutinize whether a transfer for processing is a valid term of service, versus whether organizations are required to provide other options for individuals who do not wish to have their information disclosed across borders.   

The OPC’s revised approach to data processing appears to disregard the realities of modern businesses.  Some commentators have suggested that the OPC’s goal is to ensure that PIPEDA retains its adequacy status in light of Europe’s General Data Protection Regulation (the “GDPR”), given the strict approach to international transfers of personal data under the GDPR.  However, unlike PIPEDA, the GDPR contains a detailed framework for data controllers and processors, and even the GDPR does not generally require consent for an organization to utilize service providers.  Furthermore, the GDPR has a number of legal bases for transferring personal data across borders, so that consent is not required in many circumstances.

The OPC’s proposed stance on transfers for processing, including international transfers of data, also appears to be inconsistent with its position on “meaningful” consent, which sets out “practical and actionable guidance” on the different approaches organizations can take regarding consent, given the realities of modern businesses.  Organizations will undoubtedly continue to use service providers, including many that will store data outside Canada. In most cases, it would not be practical to offer alternate options to consumers. Therefore, the reality is that individuals who wish to purchase products or services from these organizations will have to consent to their information being transferred to such service providers.  

Accordingly, this change in approach is unlikely to provide individuals with increased control over their personal information. Rather, it will likely only result in longer, more complicated privacy notices and consent forms, which the OPC has criticized in the past.  The benefits of this approach over the OPC’s earlier policy position (which already required transparency, accountability, and appropriate safeguards) are unclear.  

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2019