Earlier this year, the Office of the Privacy Commissioner of Canada (OPC) surprised many in the business community by floating the idea of requiring data subjects’ consent when transferring personal information to service providers for processing, cross-border or otherwise. This new twist on the Personal Information Protection and Electronic Documents Act (PIPEDA) would have reversed ten years of settled guidance from the OPC on the issue. Accordingly, the OPC launched an initial public consultation on the topic and then “reframed” the discussion after the Minister of Innovation, Science and Economic Development issued the federal government’s Strengthening Privacy for the Digital Age whitepaper in which the Minister seemed to take the view that transfers for processing did not require consent as long as accountability for the use of the information was maintained. (See our summary of these events here.)
Thankfully the OPC announced on September 23, 2019, that, following this consultation, it has concluded that its Guidelines for Processing Personal Data Across Borders (Guidelines) from January of 2009 will remained unchanged. These Guidelines instead consider processing by a service provider to be a “use” of the information on behalf of the organization that has transferred it; they focus on transparency and accountability to protect information from unauthorized uses and disclosures while in the hands of a third-party processor. The Guidelines also emphasize that, for cross-border transfers, organizations need to “make it plain” in “clear and understandable language” at the time of collection that personal information may be processed in foreign countries and that it “may be accessible to law enforcement and national security authorities of that jurisdiction.”
The handling of personal information by service providers is clearly on the OPC’s radar. Prior to the launch of the consultation, the OPC issued its report into the Equifax data breach (PIPEDA Report of Findings #2019-001, April 9, 2019). In this report, included among the many recommendations were the OPC’s views on the minimum measures that organizations had to take to comply with clause 4.1.2 of the Accountability Principle in PIPEDA. The OPC stated, in paragraph 74 of the Equifax report:
| a. | In a case where a
substantial volume of sensitive personal information belonging to a
large number of individuals is being handled over a prolonged
period, the level of controls should be commensurately high. In
such a situation, in our view, PIPEDA Principle 4.1.3 requires, at
a minimum: |
||
| i. | A formal written arrangement,
updated periodically and in the case of material changes, which
should generally include details about the following: |
||
| ii. | what personal information is
being handled by the third party, including both information shared
by the organization and any information collected directly by the
third party on behalf of the organization; |
||
| iii. | what specific rules, regulations
and standards need to be complied with in the handling of the
information, including PIPEDA; |
||
| iv. | the roles and responsibilities
of key stakeholders within both organizations for the handling of
the personal information, including responsibilities for specific
functions, decision-making, safeguards and breach
response; |
||
| v. | information security
obligations; |
||
| vi. | acceptable uses of the
information; |
||
| vii. | retention and destruction
obligations; and |
||
| viii. | reporting and oversight
arrangements to ensure compliance with the above, including
reporting obligations in the case of a breach that could compromise
the personal information. |
||
| b. | A structured program
for monitoring compliance against the obligations laid out in the
arrangement. The program should be suitable to the scope and
sensitivity of the personal information being handled. It should
include: |
||
| i. | mechanisms for periodic
reporting by the third party on the handling of the personal
information; and |
||
| ii. | where scope and sensitivity of the personal information handled is significant, mechanisms to ensure periodic external assessment (by the organization or an appropriate third party) of compliance with the full range of obligations described in the written arrangement. | ||
While the OPC seems to have backed off for now from the consent requirement for processing of personal information by service providers, it has served notice that it expects PIPEDA to be “reformed” at some point in the future and that it is taking a pragmatic “status quo” approach for the time being until the law is finally amended. Although this issue is in abeyance for now, expect it to arise again in the future. Organizations should be reviewing the existing guidance now to plan for potential system/business process changes down the road.
We will continue to monitor the situation as it unfolds.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
