The Office of the Privacy Commissioner of Canada (OPC) released its report on its investigation into a 2017 data breach at Equifax and reversed its position on the privacy requirements that attach to intercompany data transfers and cross-border data transfers. The decision will have long-term impacts for Canadian companies' domestic and cross-border data practices.

What you need to know

  • The OPC now considers transfers of personal information from a company to an affiliate or third-party vendor for processing purposes as disclosures of personal information to third parties.
  • Companies must obtain meaningful consent to disclose personal information to third parties. This includes clearly explaining the nature and purpose of the transfer, whether the recipient processor is located outside Canada, and any alternatives that would allow the customer to continue receiving services without transferring data internationally.
  • Cross-border data transfers are not necessarily prohibited. Rather, depending on the sensitivity of the information, the transparency of the transfer outside Canada, and the availability of domestic alternatives, companies may need to provide a higher level of disclosure to obtain valid consent.
  • There is now a regulatory expectation that data transfers among corporate affiliates should be treated like third party disclosures. Most significantly, this may involve more detailed data processing agreements that impose rigorous privacy and security obligations on the recipient organization even when the entities are related and subject to comparable internal policies.
  • The OPC's evolving position on data transfers is yet another sign that it is interpreting Canada's privacy law in a manner consistent with Europe's privacy rules despite no legislative amendments having been proposed to formally align Personal Information Protection and Electronic Documents Act (PIPEDA) with General Data Protection Regulation (GDPR).

The Privacy Commissioner's decision

On September 7, 2017, Equifax Inc. announced that an attacker had accessed the personal information of more than 143 million individuals, including personal information for certain U.K. and Canadian residents. Approximately 19,000 Canadians were affected by the attack.

The OPC's investigation determined that the affected personal information of Canadians was collected by Equifax Inc. from certain Canadian consumers who purchased or received direct-to-consumer products or fraud alerts from Equifax Canada. Equifax Canada's security infrastructure was highly integrated with that of Equifax Inc.

The investigation was broad: the OPC looked at the adequacy of safeguards by Equifax Inc. and Equifax Canada, whether Equifax Canada had adequate accountability for Canadian data processed by Equifax Inc., whether Equifax Canada had obtained valid consent for this processing, and the companies' data destruction practices. The report concluded that both Equifax Inc. and Equifax Canada contravened PIPEDA in a number of respects and recommended improvements.

Importantly, the OPC found the transfer of data from Equifax Canada to Equifax Inc. to be inconsistent with the organizations' obligation under PIPEDA to obtain meaningful consent from individuals before disclosing their personal information to a third party. For consent to be valid, individuals must be provided with clear information about the disclosure, including when the third party is located in another country, and the associated risks.

Impact on cross-border transfers

While the OPC's decision focused on the transfer of data from Canada to the United States, it will affect all cross-border transfers of information, whether to third-parties or within the corporate organizational structure.

Organizations that process personal information about individuals in Canada in other countries have long been advised to include a notice of this practice in their privacy policies, and a statement that the privacy laws in those jurisdictions may differ from those in Canada. This decision indicates the standard will now be higher to obtain meaningful consent to process or store personal data outside Canada.

The OPC has indicated the existence of a cross-border transfer of information will be a factor in assessing the validity of consent for the company's handling of the personal information. This is because individuals may not reasonably expect their information to be transferred to another country to provide services they have purchased from a Canadian company. Where the information is sensitive, individuals may also have heightened concerns about the transfer and storage of their personal information in particular countries, such as the United States. Accordingly, organizations should ensure that cross-border transfers of data, risks associated with the transfer, and alternatives to such transfers are clearly communicated to individuals in order to obtain valid consent.

Recognizing the significant impact that this change in position may have on Canadian businesses' data practices, the OPC has launched a formal consultation process before issuing revised guidance on cross-border data flows.

Impact on intercompany transfers

Beyond cross-border issues, the OPC's revised position will have a broad impact on domestic transfers of personal information for processing purposes. Although it will mean transfers of information to vendors (such as payment processors or marketing agencies) will be treated as disclosures rather than uses, the impact may be more significant in relation to intercompany transfers. A transfer of personal information to a corporate affiliate for processing purposes may have been less stringently documented than vendor arrangements under the previous view that this constitutes an internal use of data.

Even where all affiliates are located in Canada, where the services to be provided by a company will require data processing by a different legal entity, this transfer will be a factor in assessing the level of disclosure and consent required.

The OPC's focus on intercompany transfers suggests another step toward interpreting PIPEDA in line with the GDPR. In particular, we may see data processing agreements reminiscent of EU standard contractual clauses become more routinely used for transfers between Canadian corporate affiliates in order to document the privacy and security obligations of the counterparties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.