On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) played a belated April Fools' joke. They launched a consultation on transborder data flows in which they indicated that they were revisiting their long-held position that a transfer of personal information to a service provider for processing does not require consent from the individual, and now propose that a transfer for processing involves a disclosure of personal information and therefore requires consent. Only it wasn't a joke.

WAIT, WHAT?

The OPC's reasons are as follows. The Personal Information Protection and Electronic Document Act (PIPEDA) requires consent for any collection, use or disclosure of personal information, subject to limited statutory exceptions, and since none of the statutory exceptions allows for disclosure of personal information to a third party for processing without consent, consent must be obtained. What they fail to consider is that the OPC has historically—and correctly—viewed a transfer of personal information to a service provider for processing as a "use" of personal information by the transferring organization, and not a disclosure to the service provider. Since it is a use of personal information, a separate consent for the transfer is not required. The organization needs only ensure that it has meaningful consent to use the personal information for the intended purposes. If it does have such consent, the organization (or a service provider on behalf of the organization) can use the personal information for those purposes.

WHY THE SWITCH?

It's unclear why the OPC is revisiting its position on this, particularly since the law itself has not changed.

They are clearly concerned that individuals must be provided with meaningful information about when and under what circumstances their personal information may be processed outside of Canada. However, transparency around cross-border data transfers is already required under PIPEDA's openness principle. It would seem, therefore, that this concern could be more appropriately addressed through guidance on transparency requirements relating to cross-border data flows.

There is a reference in the consultation document to the European General Data Protection Regulation (GDPR), and one can't help but wonder whether this is an attempt by the OPC to ensure that PIPEDA's status as an "adequate" regime under the GDPR remains in place. However, it is doubtful that this proposed change will help in this respect. Certainly, PIPEDA's lack of clear controls with respect to cross-border data transfers is a gap in the legislation as compared with the GDPR. Consent is one of many mechanisms by which organizations can legitimize a cross-border data transfer under the GDPR. However, to be valid for this purpose, the consent must be "freely given." The OPC's consultation document acknowledges that organizations are free to design their operations to include flows of personal information across borders, and that individuals cannot dictate to an organization that it must design its operations in such a way that the data stays in Canada. Requiring consent to a transborder data flow in circumstances where the only alternative is not dealing with the organization, can hardly be said to be freely given, so query how "adequate" the European Commission will view such a requirement. A more practical and effective approach would be to issue guidance on what data protection terms should or must be included in contracts with service providers located outside of Canada.

WHAT DOES THIS MEAN?

It is unfortunate that the OPC appears to be taking such a commercially unreasonable approach to this issue. If the policy position moves ahead, organizations will need to completely overhaul their consent language and privacy notices to adapt to these new requirements. This, after many organizations have just spent a great deal of time and money overhauling their consent language to address requirements in the new Guidelines for Obtaining Meaningful Consent, which came into force on January 1, 2019. Other challenges that come to mind include:

  • Providing meaningful information about a potentially large number of services providers in a meaningful way, including in situations where space and consumer attention are at issue
  • Dealing with changes to service providers—is a new consent required?
  • Dealing with existing customers—do organizations need to go back and get a new consent?
  • Dealing with unexpected service provider requirements, such as external forensics teams in the event of a data breach—must organizations obtain consent for this in advance?

These are just some of the obvious challenges that this change in position will pose for organizations, but there are sure to be many more.

WHAT SHOULD WE DO?

If this policy change moves forward as currently contemplated, it will have significant and undesirable consequences for all businesses engaged in commercial activities in Canada. The OPC will be accepting comments and feedback on their updated policy position until June 4, 2019.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2018 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.