In an Announcement this week, the Office of the Privacy Commissioner of Canada (OPC) has put “on hold” any changes in approach for cross-border data flows of personal information, stating “its guidelines for processing personal data across borders will remain unchanged under the current law.”
What this means is the OPC does not interpret the Personal Information Protection and Electronic Documents Act (PIPEDA) as requiring consent for cross-border data flows, including the processing of personal information outside of Canada. As widely reported in the spring, the OPC indicated its view is that cross-border transfers of personal information require consent.
The OPC will continue to, and we anticipate will be more vigilant about, ensuring organizations provide transparency about transborder data flows, and take steps to ensure personal information is adequately protected in the hands of processors. Key considerations for organizations are:
- Transfers for processing are a "use" of information. It is not a disclosure requiring additional consent; assuming the information is being used for the purpose it was originally collected.
- The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
- Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
- Organizations should assess, and take steps to mitigate, the risks that could jeopardize the integrity, security and confidentiality of personal information transferred outside of Canada.
- Organizations need to make it plain to individuals that their information may be accessed, stored or processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.
Given that the OPC’s conclusion is dependent on the current law, we anticipate this issue will arise again. The OPC will likely be advocating for changes to the law that require consent for cross-border data flows, and the trend setter is the European General Data Protection Regulation (GDPR), which includes strict requirements for foreign data processing. To comply with the current interpretation, and to prepare, organizations should be addressing the transparency and privacy protection requirements for transfers of personal information outside of Canada.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.