In early April, the Office of the Privacy Commissioner of Canada (the "OPC") issued a notice initiating a consultation on transborder data flows (the "Notice of Consultation" and the "Consultation") in conjunction with PIPEDA Report of Findings #2019-001 (the "Report"). The OPC has also recently issued a supplementary discussion document with additional information on the Consultation.
In its Report and in its Notice of Consultation, the OPC made a surprising reversal of its long-standing position on the transfer of personal information ("PI") under the Personal Information Protection and Electronic Documents Act ("PIPEDA"). In the past, the OPC viewed a transfer of PI for processing as a "use" of the PI by the transferor rather than a "disclosure" to the processor, such that an additional consent was not required, as long as the PI was being processed for the purpose for which it was originally collected.
The OPC now states that it views the transfer of PI for processing as a disclosure requiring consent. The new OPC position applies to any transfer of PI from one organization to another, including transfers within Canada, cross-border transfers, and transfers to service providers and affiliates. In its Notice of Consultation, the OPC solicits submissions on its new position.
In this Bulletin we will discuss the previous OPC position, the new OPC position, the scope of the OPC's Consultation, and whether consent to a disclosure for processing must be express consent. We will offer some suggestions on what organizations might wish to do at this stage in the process. We will also offer some additional general comments.
1. What was the previous position of the OPC?
PIPEDA provides that the consent of individuals is generally required for the collection, use and disclosure of PI. However, where PI is shared with a third party for processing, PIPEDA treats the sharing as a "transfer", not a "disclosure":
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
In its 2009 Guidelines on Processing Personal Data Across Borders (PDF) (the "2009 Guidelines") the OPC stated that a transfer of PI for processing, including a cross-border transfer, is a "use" of the PI and not a "disclosure". The OPC view was that, as long as the PI was being processed for the purpose for which it was originally collected, additional consent for the transfer to the processor was not required. The OPC recommended that notice be given to the individual.
Although no OPC findings or guidance documents are binding on organizations, the 2009 Guidelines provided certainty to businesses about the OPC's expectations, were consistent with OPC findings, and over time have come to form a key pillar in the foundation of many organizations' current practices in relation to transfers of PI for processing, including cross-border transfers.
2. What is the new position of the OPC?
In the Report, the OPC expressed its new position that the transfers of PI by a Canadian entity to a related entity in the United States for processing were "disclosures" of PI under PIPEDA and not mere "use" of PI by the Canadian entity, as described in the 2009 Guidelines. The OPC openly acknowledged its change of position as follows: "..., we acknowledge that in previous guidance our Office has characterized transfers for processing as a 'use' of personal information rather than a disclosure of personal information. Our guidance has also previously indicated that such transfers did not, in and of themselves, require consent.."
With respect to question of consent for such disclosures for processing, the OPC stated that where the transferred information is sensitive PI or where individuals would not reasonably expect that their PI would be disclosed to a third party, organizations are required to obtain express consent (rather than implied consent) and to provide information about the options available to individuals who do not wish to have their information disclosed in this way.
In addition, in the Report, the OPC concluded that, even though the above transfer should be considered a "disclosure" under PIPEDA, the Canadian entity remained accountable and was required to have controls in place to ensure that the transferred PI received a comparable level of protection while it was being processed. The OPC stated that, given the volume and sensitivity of the PI, those controls were required to include: (1) a formal written arrangement, updated periodically and in the case of material changes, addressing at a minimum certain factors discussed in the Report; and (2) a structured program for monitoring compliance against the obligations laid out in the arrangement, addressing at a minimum certain continuing reporting and assessment factors discussed in the Report.
3. What is the scope of the Consultation?
In its Notice of the Consultation, the OPC announced that it is 'revisiting' its 2009 Guidance on cross-border data flows under PIPEDA. In its Notice of Consultation, the OPC states that its view is now that:
- In the absence of an applicable exception, transfers for processing, including cross border transfers, require consent as they involve the disclosure of PI from one organization to another (contrary to the OPC's position in the 2009 Guidance).
- For the consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including instances when the third party is located in another country, and the associated risks.
- When determining the form of consent (express or implied), organizations will need to consider the sensitivity of the information and individuals' reasonable expectations. The OPC believes individuals would generally expect to know whether and where their PI may be transferred or otherwise disclosed to an organization outside Canada.
- Organizations are free to design their operations to include flows of PI across borders, but they must respect the individuals' right to make that choice for themselves as part of the consent process.
- Individuals must be informed of any options available to them if they do not wish to have their PI disclosed across borders.
The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements, and seeks input from interested parties. Responses must be submitted to the OPC by June 4, 2019.
4. When is express consent required for a disclosure for processing?
In its Guidelines on obtaining meaningful consent (the "Consent Guidelines"), which came into effect on January 1, 2019, the OPC states that organizations must generally obtain express consent, rather than implied consent, when: (1) the information being collected, used or disclosed is sensitive; (2) the collection, use or disclosure is outside of the reasonable expectations of the individual; or (3) the collection, use or disclosure creates a meaningful residual risk of significant harm.
In the Report and in the Notice of Consultation, the OPC uses and applies these concepts. As a consequence, an express consent to a disclosure for the purpose of processing, whether or not cross-border, would be required under the OPC approach when: (1) the information being collected, used or disclosed is sensitive; (2) the collection, use or disclosure is outside of the reasonable expectations of the individual; or (3) the collection, use or disclosure creates a meaningful residual risk of significant harm.
With respect to individuals' reasonable expectations, the OPC states the following in the Notice of Consultation:
Under PIPEDA, the form of consent required depends on the sensitivity of the information at issue and the individual's reasonable expectations in the circumstances. Underlying the contextual analysis of both sensitivity and reasonable expectations is the risk of harm to the individual. Where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied.
It is the OPC's view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country. Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.
The first paragraph is a restatement of the principles from the Consent Guidelines. The second paragraph strongly implies, but does not explicitly state, that the OPC's view is that an express consent is required for all cross-border transfers of PI. Why did the OPC not explicitly state that an express consent is required for all cross-border disclosures? Perhaps the OPC is leaving some room for the possibility that there might be some circumstances where an implied consent is sufficient, if the individual has sufficient notice that the PI would be disclosed cross-border for processing. Organizations will want to review future OPC guidance for any clarification of the OPC's views on whether express consent is required for all cross-border disclosures of PI for processing.
5. What should organizations do now?
The OPC's new position on transfers of PI will have dramatic implications for many organizations. Domestic and international transfers of personal information to service providers and affiliates are commonplace in Canada and in many cases will not have been implemented in a manner that would be compliant with the OPC's new view.
Bearing in mind that OPC findings and guidance documents do not have the force of law, organizations should conduct an assessment of their compliance with the new OPC position, consider the impact on their information practices, privacy notice and consent documents, and plan their next steps.
Organizations may also wish to submit a response to the Consultation, to monitor the OPC Consultation process, and to review future changes to the OPC guidance documents on cross-border transfers and consent.
6. Comments on the OPC's new position
There has been widespread criticism of the OPC's new position, including in respect of the following themes:
- Recognizing the close integration of the Canadian and US economies, and recognizing that the US was not adopting general personal information protection legislation, Parliament chose to adopt privacy legislation that was more adapted to Canadian commercial reality than the EU Data Protection Directive - a middle path - and Parliament chose not to expressly address cross-border transfers in PIPEDA.
- Critics argue that fundamental change in privacy regulation should be effected through legislative change by the elected members of Parliament, and not by the OPC adopting aggressive reinterpretations of PIPEDA (notwithstanding that the OPC's interpretations are not binding in law).
- To the extent that the OPC approach might be motivated by the EU General Data Protection Regulation ("GDPR"), it fails to take into consideration key differences in approach and concepts between PIPEDA and the GDPR, including in relation to the concepts of "controller" and "processor" and the fact that, unlike PIPEDA, the GDPR includes a number of mechanisms which are widely utilized to support cross-border transfers without consent. If the GDPR is to be considered as a model that should influence the approach to cross-border transfers under PIPEDA, the full range of relevant factors should be considered.
- This is not the first time that the OPC has aggressively reinterpreted PIPEDA. The OPC's reinterpretation of PIPEDA to allow for increased regulation of cross-border transfers is reminiscent of the OPC's recent reinterpretation of PIPEDA to purport to recognize an otherwise non-existent GDPR-like right to be forgotten in PIPEDA.
- In the absence of legislative change, the OPC appears to have wanted to find some other way to regulate cross-border transfers. To accomplish this end, the OPC unfortunately chose to reinterpret PIPEDA to impose new requirements on all transfers for processing by a third party, including transfers within Canada and transfers to affiliates.
- If the Consultation confirms the OPC's new position without material change, then organizations may face many practical difficulties and increased costs of compliance. Meaningful consent will be difficult to obtain. Detailed disclosure of information about processing arrangements will be expensive to provide and to maintain. Disclosure of information about subprocessors may be required. Will an individual be permitted to opt-out of an existing contract if a processor or subprocessor changes?
- There will also be significant transitional issues. New consents will be difficult to obtain from existing customers. Will existing consents be grandfathered? Existing contracts with processors may not comply with the new OPC expectations, and processors may not agree to amend them.
We will continue to monitor developments related to the OPC's Consultation and next steps.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.