Canada: Privacy Commissioner Of Canada Reverses Position On Transfers Of Personal Information For Processing, Initiates Consultation On Cross-Border Transfers

Privacy and Cybersecurity
Last Updated: May 8 2019
Article by Antoine Guilmain, Julie Uzan-Naulin and Bruce Tattrie

In early April, the Office of the Privacy Commissioner of Canada (the "OPC") issued a notice initiating a consultation on transborder data flows (the "Notice of Consultation" and the "Consultation") in conjunction with PIPEDA Report of Findings #2019-001 (the "Report"). The OPC has also recently issued a supplementary discussion document with additional information on the Consultation.

In its Report and in its Notice of Consultation, the OPC made a surprising reversal of its long-standing position on the transfer of personal information ("PI") under the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the past, the OPC viewed a transfer of PI for processing as a "use" of the PI by the transferor rather than a "disclosure" to the processor, such that an additional consent was not required, as long as the PI was being processed for the purpose for which it was originally collected.

The OPC now states that it views the transfer of PI for processing as a disclosure requiring consent. The new OPC position applies to any transfer of PI from one organization to another, including transfers within Canada, cross-border transfers, and transfers to service providers and affiliates. In its Notice of Consultation, the OPC solicits submissions on its new position.

In this Bulletin we will discuss the previous OPC position, the new OPC position, the scope of the OPC's Consultation, and whether consent to a disclosure for processing must be express consent. We will offer some suggestions on what organizations might wish to do at this stage in the process. We will also offer some additional general comments.

1. What was the previous position of the OPC?

PIPEDA provides that the consent of individuals is generally required for the collection, use and disclosure of PI. However, where PI is shared with a third party for processing, PIPEDA treats the sharing as a "transfer", not a "disclosure":

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

(emphasis added)

In its 2009 Guidelines on Processing Personal Data Across Borders (PDF) (the "2009 Guidelines") the OPC stated that a transfer of PI for processing, including a cross-border transfer, is a "use" of the PI and not a "disclosure". The OPC view was that, as long as the PI was being processed for the purpose for which it was originally collected, additional consent for the transfer to the processor was not required. The OPC recommended that notice be given to the individual.

Although no OPC findings or guidance documents are binding on organizations, the 2009 Guidelines provided certainty to businesses about the OPC's expectations, were consistent with OPC findings, and over time have come to form a key pillar in the foundation of many organizations' current practices in relation to transfers of PI for processing, including cross-border transfers.

2. What is the new position of the OPC?

In the Report, the OPC expressed its new position that the transfers of PI by a Canadian entity to a related entity in the United States for processing were "disclosures" of PI under PIPEDA and not mere "use" of PI by the Canadian entity, as described in the 2009 Guidelines. The OPC openly acknowledged its change of position as follows: "..., we acknowledge that in previous guidance our Office has characterized transfers for processing as a 'use' of personal information rather than a disclosure of personal information. Our guidance has also previously indicated that such transfers did not, in and of themselves, require consent.."

With respect to question of consent for such disclosures for processing, the OPC stated that where the transferred information is sensitive PI or where individuals would not reasonably expect that their PI would be disclosed to a third party, organizations are required to obtain express consent (rather than implied consent) and to provide information about the options available to individuals who do not wish to have their information disclosed in this way.

In addition, in the Report, the OPC concluded that, even though the above transfer should be considered a "disclosure" under PIPEDA, the Canadian entity remained accountable and was required to have controls in place to ensure that the transferred PI received a comparable level of protection while it was being processed. The OPC stated that, given the volume and sensitivity of the PI, those controls were required to include: (1) a formal written arrangement, updated periodically and in the case of material changes, addressing at a minimum certain factors discussed in the Report; and (2) a structured program for monitoring compliance against the obligations laid out in the arrangement, addressing at a minimum certain continuing reporting and assessment factors discussed in the Report.

3. What is the scope of the Consultation?

In its Notice of the Consultation, the OPC announced that it is 'revisiting' its 2009 Guidance on cross-border data flows under PIPEDA. In its Notice of Consultation, the OPC states that its view is now that:

  • In the absence of an applicable exception, transfers for processing, including cross border transfers, require consent as they involve the disclosure of PI from one organization to another (contrary to the OPC's position in the 2009 Guidance).
  • For the consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including instances when the third party is located in another country, and the associated risks.
  • When determining the form of consent (express or implied), organizations will need to consider the sensitivity of the information and individuals' reasonable expectations. The OPC believes individuals would generally expect to know whether and where their PI may be transferred or otherwise disclosed to an organization outside Canada.
  • Organizations are free to design their operations to include flows of PI across borders, but they must respect the individuals' right to make that choice for themselves as part of the consent process.
  • Individuals must be informed of any options available to them if they do not wish to have their PI disclosed across borders.

The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements, and seeks input from interested parties. Responses must be submitted to the OPC by June 4, 2019.

4. When is express consent required for a disclosure for processing?

In its Guidelines on obtaining meaningful consent (the "Consent Guidelines"), which came into effect on January 1, 2019, the OPC states that organizations must generally obtain express consent, rather than implied consent, when: (1) the information being collected, used or disclosed is sensitive; (2) the collection, use or disclosure is outside of the reasonable expectations of the individual; or (3) the collection, use or disclosure creates a meaningful residual risk of significant harm.

In the Report and in the Notice of Consultation, the OPC uses and applies these concepts. As a consequence, an express consent to a disclosure for the purpose of processing, whether or not cross-border, would be required under the OPC approach when: (1) the information being collected, used or disclosed is sensitive; (2) the collection, use or disclosure is outside of the reasonable expectations of the individual; or (3) the collection, use or disclosure creates a meaningful residual risk of significant harm.

With respect to individuals' reasonable expectations, the OPC states the following in the Notice of Consultation:

Under PIPEDA, the form of consent required depends on the sensitivity of the information at issue and the individual's reasonable expectations in the circumstances. Underlying the contextual analysis of both sensitivity and reasonable expectations is the risk of harm to the individual. Where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied.

It is the OPC's view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country. Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.

(emphasis added)

The first paragraph is a restatement of the principles from the Consent Guidelines. The second paragraph strongly implies, but does not explicitly state, that the OPC's view is that an express consent is required for all cross-border transfers of PI. Why did the OPC not explicitly state that an express consent is required for all cross-border disclosures? Perhaps the OPC is leaving some room for the possibility that there might be some circumstances where an implied consent is sufficient, if the individual has sufficient notice that the PI would be disclosed cross-border for processing. Organizations will want to review future OPC guidance for any clarification of the OPC's views on whether express consent is required for all cross-border disclosures of PI for processing.

5. What should organizations do now?

The OPC's new position on transfers of PI will have dramatic implications for many organizations. Domestic and international transfers of personal information to service providers and affiliates are commonplace in Canada and in many cases will not have been implemented in a manner that would be compliant with the OPC's new view.

Bearing in mind that OPC findings and guidance documents do not have the force of law, organizations should conduct an assessment of their compliance with the new OPC position, consider the impact on their information practices, privacy notice and consent documents, and plan their next steps.

Organizations may also wish to submit a response to the Consultation, to monitor the OPC Consultation process, and to review future changes to the OPC guidance documents on cross-border transfers and consent.

6. Comments on the OPC's new position

There has been widespread criticism of the OPC's new position, including in respect of the following themes:

  • Recognizing the close integration of the Canadian and US economies, and recognizing that the US was not adopting general personal information protection legislation, Parliament chose to adopt privacy legislation that was more adapted to Canadian commercial reality than the EU Data Protection Directive - a middle path - and Parliament chose not to expressly address cross-border transfers in PIPEDA.
  • Critics argue that fundamental change in privacy regulation should be effected through legislative change by the elected members of Parliament, and not by the OPC adopting aggressive reinterpretations of PIPEDA (notwithstanding that the OPC's interpretations are not binding in law).
  • To the extent that the OPC approach might be motivated by the EU General Data Protection Regulation ("GDPR"), it fails to take into consideration key differences in approach and concepts between PIPEDA and the GDPR, including in relation to the concepts of "controller" and "processor" and the fact that, unlike PIPEDA, the GDPR includes a number of mechanisms which are widely utilized to support cross-border transfers without consent. If the GDPR is to be considered as a model that should influence the approach to cross-border transfers under PIPEDA, the full range of relevant factors should be considered.
  • This is not the first time that the OPC has aggressively reinterpreted PIPEDA. The OPC's reinterpretation of PIPEDA to allow for increased regulation of cross-border transfers is reminiscent of the OPC's recent reinterpretation of PIPEDA to purport to recognize an otherwise non-existent GDPR-like right to be forgotten in PIPEDA.
  • In the absence of legislative change, the OPC appears to have wanted to find some other way to regulate cross-border transfers. To accomplish this end, the OPC unfortunately chose to reinterpret PIPEDA to impose new requirements on all transfers for processing by a third party, including transfers within Canada and transfers to affiliates.
  • If the Consultation confirms the OPC's new position without material change, then organizations may face many practical difficulties and increased costs of compliance. Meaningful consent will be difficult to obtain. Detailed disclosure of information about processing arrangements will be expensive to provide and to maintain. Disclosure of information about subprocessors may be required. Will an individual be permitted to opt-out of an existing contract if a processor or subprocessor changes?
  • There will also be significant transitional issues. New consents will be difficult to obtain from existing customers. Will existing consents be grandfathered? Existing contracts with processors may not comply with the new OPC expectations, and processors may not agree to amend them.

We will continue to monitor developments related to the OPC's Consultation and next steps.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions