Privacy Commissioner Proposes a Consent Requirement for Transborder Data Flows
On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) launched a “stakeholder consultation” on transborder data-flows.
A transfer for processing is a "use" of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required. (Emphasis added.)
The consultation document proposes the opposite view that:
In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. (Emphasis added.)
The document does not set out any rationale for this reversal, or note that the proposed re-interpretation substantially alters (if not upends) a well-established understanding of how Canadian privacy law applied to third-party processing of personal information that dates back at least to 2005. There has been no change to the statute that could require a change in this interpretation. Nor was this an issue raised in the recent Parliamentary review of PIPEDA. So it is not entirely clear why the OPC has initiated this consultation now.
This proposed policy shift might perhaps be motivated by the desire to preserve the “adequacy” decision that enables lawful transfer of personal information from member states of the European Union. The Parliamentary review noted this general concern, although the Committee report did not identify Canada’s treatment of cross-border processing as a problem area for the adequacy analysis. See, for example, this previous post for more information.
However, it should also be noted that Canada recently signed (but has not yet ratified) the Canada-United States-Mexico Agreement, which states in Article 19.11(1) that:
No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
This is subject to a carve-out for certain non-discriminatory measures to achieve “legitimate public policy objectives”, but there is also a separate requirement in Article 19.8(3) that “restrictions on cross-border flows of personal information” must be “necessary and proportionate to the risks presented”. These obligations are not yet binding and may never come into force. However, if the OPC proceeds with this policy change, Parliament will presumably have to consider whether it needs to be reversed if and when the treaty is ever implemented.
The consultation document goes on to note that implied consent may still be acceptable. However, “Where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied.”
The consultation document also raises two additional issues. First, it proposes that “Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders.” This must be a “clear and easily accessible choice”, at least if the processing is not necessary for the delivery of the product or service. However, there is no obligation to offer an alternative if the processing is “integral to the delivery of a service”.
The consultation document does not address the form or timing of this notice. However, it does refer to the consent guidance that came into effect on January 1, 2019, which places emphasis on “just-in-time” notices and an “ongoing process” of consent. Taken together, the guidance might suggest that individuals should have this information available at least at the time of collection, if not on an on-going basis.
The last piece of the consultation addresses accountability in complex business relationships. The positions put forward seem generally consistent with previous decisions by the on these points. In a nutshell:
- organizations remain accountable for what third parties do on their behalf;
- third party processors acting on behalf of others still have independent obligations under PIPEDA; and
- third party processors are not acting “on behalf” of the original organization if they use or disclose the information for purposes other than the processing.
The OPC has invited “input from interested parties on our updated policy position, as well as on specific areas for which related guidance would be most needed.” The deadline for submissions (which are to be provided by email, or in Word or pdf document) is June 4, 2019.
 “This Office has taken the position that companies are not required to provide customers with the choice of opting-out where the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected.” PIPEDA Case Summary #2005-313.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.