The Office of the Privacy Commissioner of Canada ("OPC") has now decided1 that the Personal Information Protection and Electronic Documents Act ("PIPEDA") does not require organizations to obtain separate express consent for the transfer of personal information to service providers located outside of Canada.
The recent decision makes it clear, however, that organizations who use third party service providers outside of Canada must: (1) provide individuals with appropriate notice of cross border data transfers; and (2) be accountable for that personal information by ensuring that it remains adequately protected from unauthorized access, use and/or disclosure in the hands of that third party service provider. The OPC described how organizations can fulfill these requirements, which we discuss below.
This decision resolves the uncertainty created last year by the OPC's consultation on transborder dataflows. Last year, the OPC suggested that cross border transfers of personal information for processing require consent. The OPC consultation was met with widespread criticism from many businesses and in September 2019, the OPC announced that any changes to its approach for cross-border data flows of personal information were "on hold". We wrote about this consultation process here and here.
The decision published on August 4 concerned a complaint brought by a former employee of TD Canada Trust ("TD"). The former employee complained that TD had outsourced parts of its fraud claims processing services to a third party service provider located in India, without obtaining customers' consent or offering customers the choice to opt out of the transfer of personal information to a service provider in a foreign jurisdiction. The complainant also claimed that TD had not been sufficiently open with respect to its outsourcing practices.
The service provider in question is a large multinational IT service and consultancy firm with employees located in India. The service provider provided services on TD's behalf such as preparing customer dispute forms and other supporting documents for TD to send to cardholders, issuing temporary/provisional credit on transactions approved as fraud claims and investigated for recovery, and adjudicating customer disputes.
The OPC's Investigation and Decision
The OPC dismissed the complaint against TD on the basis that TD was not required to obtain additional consent for the processing of customer personal information by a third party service provider in India, and that TD was appropriately open about its outsourcing to current and potential customers. Further, the OPC also found that TD remained appropriately accountable for its customers' personal information through a "robust" contract and other controls and safeguards. In its investigation report, the OPC made the following findings:
- No separate consent or opt-out option required for cross-border transfers: TD obtains consent to use customer information for the processing of fraud claims via its account opening agreements, which include the TD Privacy Agreement and TD Privacy Code. TD's contract with the third party service provider supported TD's position that it only transferred personal information to the service provider to fulfill specific tasks related to processing fraud-related claims. The third-party service provider was using TD customers' personal information for a purpose for which TD had originally collected the information (to manage fraud claims). As a result, TD was not required to obtain separate consent for, or to provide customers the choice to opt out of, the transfer of customers' personal information to the third-party service provider for that same purpose.
- TD provided proper notice to customers: TD provides customers with information about its transfers of personal information to service providers in other jurisdictions in account opening agreements and in the TD Privacy Code. In cases where customers cannot review the full privacy terms at the time that they apply for a TD product, such as where a person applies by telephone, TD provides an oral summary and later sends the full privacy agreement to the customer with other account documentation. TD also makes TD privacy documentation available in person at a TD branch, or through the TD website at any time. The OPC found that TD made "readily available, and quite prominent, clear and understandable information" about its cross-border data transfers. As a result, the OPC found that TD was sufficiently open about the cross border transfer of personal information for processing.
- TD ensured appropriate protection for personal
information: given the sensitivity of the personal
information in question, which included financial information and
details of fraud claims, the OPC made it clear that it expected a
high level of safeguards. After reviewing TD's contract with
the service provider as well as other supporting documentation, the
OPC found that TD had ensured an adequate level of protection for
that personal information. TD's contract with the service
provider prohibits the service provider from using or disclosing
the personal information it accesses for any purposes other than
those set out under the contract, and from retaining any personal
information in India. The OPC also found that TD had implemented
several other safeguards to ensure compliance with contractual
requirements. These other safeguards included the following:
- Risk assessment prior to entering into the contract: TD conducted a thorough risk assessment prior to entering into the contract with this service provider. This included conducting an internal privacy impact assessment, obtaining legal advice on the privacy and information security obligations imposed under Indian law, and incorporating its risk assessment findings into the contract with the service provider.
- Employee background assessment and monitoring: TD contractually requires the service provider to conduct criminal and other background checks (including annual re-verification) on its employees, and to remove access to TD systems and information for any employees who failed the background checks.
- Employee policies and training: TD's contract with the service provider requires that the service provider develop and maintain policies for its employees that: (a) prohibit copying of TD customer personal information; (b) ensure that no TD information is stored outside of Canada; and (c) that address physical security management. The contract also requires that the service provider provide specified training to all employees, and that its employees comply with TD's Information Security practices.
- Work environment controls: TD contractually requires that the service provider control the work environment to prevent its employees from storing, copying, downloading, recording, printing, distributing, caching, or maintaining TD information through various physical and organizational methods. This includes, for example, prohibiting employees from bringing electronic devices into the physical workspace (a "clean room" environment).
- Access and other cybersecurity controls: TD supplies all
hardware and software to the service provider, and has implemented
numerous measures to protect against unauthorized access to
information, including for example:
- implementing two-factor authentication to access the TD environment;
- partially masking certain sensitive personal information such as a SIN or date of birth;
- requiring the service provider to engage in electronic monitoring of employee activities, including through the use of computer access monitoring and audit logs;
- requiring the service provider to maintain a formal program to ensure malicious software protection is in place; and
- requiring the service provider to perform industry standard security and intrusion testing, including attack and penetration testing, at least annually.
TD also requires that the service provider comply with TD security requirements, which include compliance with industry standards. The service provider in question is ISO-27001:2013 certified, and TD verified the service provider's compliance with those standards via certification by an independent third party.
- Proactive monitoring and enforcement of contractual obligations: TD's contract with the service provider allows TD to proactively monitor and audit the service provider to ensure contractual compliance. TD engages in monitoring activities, including regular audits by an independent auditor of the service provider's practices. The contract also gives TD the ability to terminate its agreement with the service provider if the service provider breaches any contractual obligations.
In light of the above, the OPC found that TD's controls provided a level of protection comparable to that which would be required under PIPEDA if the information was processed by TD. As a result, TD had complied with its accountability requirements under PIPEDA.
This is a welcome decision which confirms that organizations do not need to obtain additional consent for cross-border transfer of personal information, so long as the personal information is being used or processed for the original purpose for which the information was collected.
Organizations who use third party service providers outside of Canada to process personal information on their behalf remain accountable for how the service provider processes that personal information. This decision is a reminder to organizations who use such service providers to:
- Be transparent with your customers about cross border data flows.
- Carefully vet third party service providers before engaging their services, which may include conducting a privacy impact assessment.
- Explicitly address privacy issues in contracts with third party service providers, and tailor any privacy and security related terms and conditions to the nature of the services being provided and the sensitivity of the personal information in question. A one line reference to compliance with applicable laws will probably not be sufficient. In this TD decision, the OPC noted that it is not enough for a contract to state that the service provider "will comply with Canadian privacy laws".
- Implement measures to ensure the service provider's compliance with contractual terms and to ensure that the service provider complies with PIPEDA (i.e. policies, employee, background checks, and independent audits).
If you have any questions about how to comply with PIPEDA in the context of cross-border transfers of personal information, please contact any member of Lawson Lundell's Privacy and Data Management group.
1 PIPEDA Report of Findings #2020-001, August 4, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.