CPPA: transfers of personal information to service providers
The Consumer Privacy Protection Act (CPPA) will make substantial changes to Canada’s privacy law. As noted previously, the bill includes many of the provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA), plus a lot more. In some cases, it builds on the provisions of PIPEDA, on the guidance and decisions of the Commissioner, but includes changes designed either to clarify or change the law. A case in point are the very important new provisions which address transfers of personal information to service providers.
Transfers for processing under PIPEDA
Many organizations provide third parties with personal information to help them carry on their businesses. The organizations obtain consents from individuals for those uses, but not for the myriad of transfers relied on to fulfill the purposes for which the consents are obtained. The practice is pervasive including everything from payment processing, cloud and SAAS service solutions, business processing, and IT outsourcing. Given our integrated economy, especially with the United States, trans-national transfers of personal information take place all the time.
PIPEDA permits transfers of personal information for processing including across borders. It deals with such transfers under the accountability principle in Principle 4.1.3 of the CSA Model Code.
4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The OPC made a number of findings related to transfers of personal information in its complaint investigations over the years. In its 2009 Guidelines for processing personal data across borders it summarized its interpretation of PIPEDA as follows:
- PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.
- PIPEDA does establish rules governing transfers for processing.
- A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
- The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
- Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
- No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.
- It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.
- Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
The Guideline has been consistently applied by the OPC, with the exception of during a short period during which the Commissioner re-interpreted transfers of personal information as disclosures and not uses thus requiring consents for such transfers. See, Barry Sookman, OPC consultation on trans-border data flows: my submission to the consultation, Barry Sookman, OPC drops transborder transfer of data consultation.
PIPEDA did not define the phrase “comparable level of protection”. The 2009 Guidelines did, construing it as follows:
“Comparable level of protection” means that the third party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board but it does mean that they should be generally equivalent.
PIPEDA is silent as to whether PIPEDA, or at least some of its provisions, applies to a service provider when its use of personal information transferred is limited to processing on behalf of the transferring party. The OPC in the Equifax decision held, without any analysis of the issue, that the security safeguards principle applies to a service provider independently of its obligations to the transferring party.
The “comparable level of protection” principle creates a number of challenges in practice. Transferring organizations often have different privacy standards from those of their service providers. Some top tier national organizations have very high standards, while small service providers often have PIPEDA compliant standards, but not as high as all of their customers. Conversely, many top tier service providers have very stringent security safeguards, in some cases even higher than those of their customers. The Equifax decision complicated the analysis by raising the question as to whether other PIPEDA obligations applied to the processor, and if so, how these could be reconciled with its status as a processor and not (to use the GDPR vernacular) a controller, the person responsible for making choices as to how personal information is to be used.
Transfers to service providers under PIPEDA
The CPPA continues to address transfers of personal information under the accountability principle. But, it does so in importantly different ways.
What is a service provider
The CPPA introduces a new term “service provider” to replace the concept of processor. Under the CPPA
service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes. (fournisseur de services).
It is unclear why the CPPA did not continue to use the term “processor”. The term has a well understood meaning such as the use in the GDPR which defines it to mean “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. While a person “that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes” would be a processor, it is uncertain whether every service provider would invariably be a “processor”, though it would be logical to conclude this is what the CPPA intends. There are many other relationships not mentioned such as professional organizations and agents that provide services to organizations. It is doubtful there is a principled reason to distinguish between processors and service providers. The use of the term “subcontractor” is also ambiguous. It may be intended to refer to “sub-processors”, but may also refer to relationships between contractors and subcontractors.
Transfers of personal information do not require new consents
As under PIPEDA, transfers of personal information for processing is permitted without requiring a new consent. S.19 now codifies the existing practical interpretation of PIPEDA stating:
Transfer to service provider
19 An organization may transfer an individual’s personal information to a service provider without their knowledge or consent.
Levels of protection for transferred personal information
Under the s.7(1) of the CPPA, an organization is accountable for personal information that is under its control. Under s.7(2) personal information is under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.
The CPPA departs from PIPEDA in prescribing the level of protection the transferring organization must require from the service provider. The standard is set out in s.11.
11 (1) If an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as that which the organization is required to provide under this Act.
As can be seen, under s.11(1) rather than requiring a “comparable level of protection”, the CPPA requires that a service provider provide the level of protection that the transferring organization is required to provide under PIPEDA. This formulation of the accountability principle may suggest that the service provider must comply with the PIPEDA security safeguards obligations. This would be one interpretation that is also consistent with the heading “Same protection”. However, it is unclear whether there might be circumstances in which the transferring organization is required to meet a different standard by virtue of its relationships or otherwise with individuals. The same may be true for service providers, especially those that process extensive amounts of sensitive personal information. In practice, potentially creating dual standards may perpetuate existing problems for service providers who offer the same services to multiple parties.
The CPPA also clarifies the obligations service providers have under the CPPA, separate and apart from their contractual obligations to the transferring organization. Under s.11(2) the only obligations of service providers under the CPPA for personal information that is transferred and only used for the purposes provided are those in ss. 57 and 61.
S.57 deals with security safeguards. Thus, under the CPPA both the transferring organization and the service provider have the following independent obligations:
57 (1) An organization must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information.
Factors to consider
(2) In addition to the sensitivity of the information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format and method of storage of the information.
Scope of security safeguards
(3) The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.
It is not apparent why the CPPA is structured to impose potentially two different safeguard standards on service providers. The first under s.11(1), “substantially the same protection of the personal information as that which the organization is required to provide under this Act”; the second, the generally applicable security safeguards standards under s 57. In this regard, the CPPA does not follow, or clearly follow, the GDPR. Under Article 28 of the GDPR where “processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” The same independent standard is imposed on processors under Article 32, which requires that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” including a number of specifically enumerated measures.
Notices of security breaches
S.61 of the CPPA adds a new obligation not expressly included under PIPEDA requiring service providers to notify organizations of a breach of security safeguards:
61 If a service provider determines that any breach of security safeguards has occurred that involves personal information, it must as soon as feasible notify the organization that controls the personal information.
This obligation, which also exists under Article 33.2 of the GDPR, is necessary because s.58 of the CPPA also includes the PIPEDA requirements for organizations to provide notices to individuals and the OPC of breaches of security safeguards.
The CPPA is silent with respect to the obligations of service providers to keep records of breaches of security safeguards (in their role of service providers). S.60 of the CPPA includes the obligation on organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control” and “on request, provide the Commissioner with access to, or a copy of, the record”. Since personal information transferred to a service provider is still under the control of the transferring organization, organizations that contract with service providers will have to continue to require that they keep and maintain such records so that the organization can comply with the CPPA.
Trans-border data flows
The CPPA continues to permit organizations to transfer personal information to other countries for processing. The new law will codify the OPC Guidance which requires organizations to be transparent about such practices. This obligation is contained in s.62 which states:
Policies and practices
62 (1) An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.
(2) In fulfilling its obligation under subsection (1), an organization must make the following information available…
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
The CPPA does not adopt the GDPR requirements for adequacy or formalities such as the use of contractual clauses before transfers can be legally effective. However, it accomplishes the intended goal of maintaining adequate standards of protection by the more practical and flexible requirements that the service provider, by contract or otherwise, provide the level of protection that the transferring organization is required to provide and by making the service provider expressly fall under the potentially extra-territorial security safeguards provisions of the CPPA.
New risks for service providers
The CPPA contains substantively new enforcement powers for the OPC and the new Personal Information and Data Protection Tribunal established under section 4 of the Personal Information and Data Protection Tribunal Act. As service providers are now expressly required to comply with the security safeguards provisions of the CPPA, they can expect to be subject to similar investigative and enforcement measures that apply to other organizations, as they relate to compliance with their obligations under ss.57 and 61 of the CPPA. These will now include being potentially subject to:
- complaints launched by individuals and investigated by the Commissioner under ss.82-93;
- audits of their personal information management practices under s.96;
- compliance orders made by the Commissioner under s.92(2);
- penalties imposed by the tribunal up to the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed under s.94(4); and
- damages at the suit of an individual, or potentially a class, affected by a violation of ss.57 or 61 of the CPPA for loss or injury that the individual (or class) has suffered as a result of the contravention under s106(1).
The CPPA has not yet been referred a Parliamentary committee and the service provider provisions will likely be amended before the bill is enacted, at the very least to address ambiguities. It is also likely that there will be a period between when the bill is given royal assent and when it is proclaimed into force. Given the proposed changes in the law, organizations which use service providers, and service providers, may want to start reviewing their processes, agreements and templates and building processes and terms that will permit compliance once the law is in effect.
This article was first posted on www.barrysookman.com.
 Service provider obligations: 11(2) The obligations under this Part, other than those set out in sections 57 and 61, do not apply to a service provider in respect of personal information that is transferred to it. However, the service provider is subject to all of the obligations under this Part if it collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred. Also, under s 55(3) “If an organization disposes of personal information, it must, as soon as feasible, inform any service provider to which it has transferred the information of the individual’s request and obtain a confirmation from the service provider that the information has been disposed of.”
 The right to transfer personal information across boarders for processing under generally applicable requirements for security appears intended to also comply with Article 19.11(Cross-Border Transfer of Information by Electronic Means) of the Canada-United States-Mexico Agreement (CUSMA) which states: 1. No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person. 2. This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restriction. See also Article 14.11 of the CPTPP.