In April of this year, the Office of the Privacy Commissioner of Canada (OPC) announced that it would be revisiting its 2009 guidelines for processing personal data across borders (the "Guidelines"), and invited submissions from stakeholders as part of a consultation process regarding the Guidelines. Read our previous blog about this reconsideration and consultation.
The Guidelines provided that personal information could be transferred outside of Canada for storage and processing, provided that certain conditions were met – including, for example, that information is protected with appropriate safeguards, and that individuals are provided with appropriate notice that their personal information is stored in, and may be subject to the laws of, that other jurisdiction.
In revisiting the Guidelines, the OPC indicated that it was considering introducing new requirements applicable to storage and processing of personal information outside of Canada, including:
- A requirement to obtain consent from individuals before their personal information is transferred outside of Canada (including for storage or processing by third-party service providers).
- A requirement to inform individuals of options available to them if they do not wish to have their personal information transferred outside of Canada.
- A requirement to ensure that organizations maintain control of personal information transferred to a third party for processing.
During the consultation period, the OPC received 87 submissions from stakeholders, with many raising similar concerns regarding these proposed requirements.
Of those concerns, commonly raised was the fact that there is no requirement pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent to transfer personal information for processing, with the result that making this a requirement would pose significant challenges for organizations seeking to remain privacy-compliant.
On September 23, 2019, the OPC announced that it is restoring its 2009 position on data transfers for processing, and that the Guidelines will therefore remain unchanged.
Accordingly, the OPC has opted to maintain the status quo unless and until existing legislation is changed at some point in the future. However, the OPC reiterated the need for organizations to be transparent regarding how they handle personal information, and to inform the individuals regarding whom they collect or hold personal information that such information may be transferred outside of Canada for processing.
We will be watching for further developments regarding the position of the OPC with respect to transborder data flows and modernization of PIPEDA with interest.
If you require more information regarding the impact of these developments on your organization, or assistance with reviewing your existing policies and procedures, a member of our science and technology team would be pleased to assist you.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.