CPPA: Welcome Clarification on Contractual and Other Duties on Cross-Border Transfers of Personal Information

On November 16, 2020, the federal government introduced the Consumer Privacy Protection Act (“CPPA”), which, if enacted, will provide organizations with greater clarity regarding their obligations when engaging third party service providers to process personal information outside Canada. In this blog, we explore how the core concepts of cross-border transfers of personal information for processing are evolving after a brief period of major uncertainty.

A Stable Beginning: Cross-Border Transfers of Personal Information under PIPEDA

Under Canada’s current federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), there has been a well-established understanding of the requirements for cross-border transfers of personal information for processing, at least until the recent past.

Cross-border transfers were first explored by a 2005 case involving CIBC (the “CIBC Decision”), where the Office of the Privacy Commissioner of Canada (the “OPC”) determined that “companies are not required to provide customers with the choice of opting-out [of cross-border transfers] where the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected.”

In place of consent, and drawing on Principle 4.1.3 of PIPEDA, the OPC emphasized accountability as a key consideration for such cross-border transfers of personal information for processing, especially where sensitive information was in play. In particular, that Principle required that the organization “use contractual or other means to provide a comparable level of protection while the information is being processed by a third party [service provider].”

The CIBC Decision established norms of due diligence and commentary on appropriate contractual terms to provide comparable administrative, technical and physical protections for such cross-border transfers of personal information for processing. Terms that might come into play in appropriate circumstances included security standards, confidentiality clauses, rights of access and audit, and clear lines of sight on ownership of the data processed by the service provider. Notably, the OPC took the pragmatic perspective that the risk of personal information being disclosed to government authorities for intelligence purposes existed to a comparable level in Canada as it did in the United States, and thus concluded that the USA PATRIOT Act did not form a sufficient basis to block data transfers to that country.

Later, in 2009, the OPC issued guidance on cross-border transfers of personal information for processing in the Guidelines on Processing Personal Data Across Borders (the “2009 Guidelines”). In the 2009 Guidelines, the OPC indicated that an organization was not required to obtain an individual’s consent to transfer their personal information outside Canada for processing, as this was considered a “use” as opposed to a “disclosure” of personal information. Consent to the “use” was sufficient to transfer the personal information outside of Canada for that “use”. These principles were relied upon by numerous organizations to arrange their affairs, especially with the emergence of cloud-based third party service providers, often based outside Canada, that provided efficiencies and (often) better security than an organization could provide on its own.

2019: A Consultation and a Moment of Chaos

Unfortunately, the clarity provided by the 2009 Guidelines was muddled in April 2019 when the OPC issued the Consultation on Transborder Dataflows (the “2019 Consultation”). In the 2019 Consultation, the OPC reversed its longstanding position, indicating that transferring personal information outside Canada for processing was considered a “disclosure” as opposed to a “use” of personal information, requiring consent. The OPC engaged in a sua sponte statutory re-interpretation of PIPEDA to support this position, with remarkable repercussions as organizations were left uncertain as to whether and how they would need to seek consents for a vast number of ordinary business activities involving specialized processors, and wondering what impacts might be caused if some or many individuals purported to “opt out” from these crucial arrangements.

The OPC made an even more dramatic finding in a 2019 case involving Equifax Canada (the “Equifax Decision”), where it determined that Equifax Canada was required to obtain a “more robust” form of express consent from individuals when transferring their personal information outside Canada to its US parent, Equifax Inc., for processing, as such a transfer was considered a “disclosure”. Despite their “parent-subsidiary relationship”, the OPC concluded that Equifax Canada and Equifax Inc. were “third parties to each other” on the basis that they were separately incorporated in different jurisdictions and had been represented in public materials as “separate entities”. This finding sent a shockwave through numerous companies that centralized technology services in affiliates located in other jurisdictions, with those companies again wondering how to manage consents for a complex web of processing relationships.

The OPC’s proposed reversal in the 2019 Consultation and the Equifax Decision were met with significant concern from stakeholders who stressed that obtaining such consent would be a significant administrative burden, created the spectre of unworkable opt-outs, and was not required by PIPEDA in any event. In the face of stakeholder protests, the OPC reversed its position once again in its “Reframed discussion document”, standing back from its strongest statements in the 2019 Consultation and deemphasizing the need for consent, while hinting that it would push for future legislative reform.

The OPC then came full circle by reaffirming the viability of the 2009 Guidelines in a 2020 case involving TD Bank’s outsourcing of certain aspects of its fraud claims processing services to a third party provider located in India (the “TD Decision”). The complainant alleged that there must be a right to opt out of such arrangements and challenged the data transfer practices on openness and accountability grounds.

In an extensive review of the arrangement, the OPC determined that TD met all the requirements for a cross-border transfer of data, and that PIPEDA did not require provision of an opportunity to opt out of the arrangement. In particular, the OPC found that:

  • TD had obtained consent to use its customers’ personal information for fraud prevention purposes, and with that consent in hand, was not required to obtain separate consent for a transfer of the personal information to the service provider;
  • TD had fulfilled the openness requirements by providing information about foreign service providers “up-front, in its account opening agreements and the TD Privacy Code”, and also through “Privacy Highlights” and “Our privacy commitments” summary resources; and
  • TD fulfilled accountability requirements through robust contracts, technological limitations, and other controls.

Altogether, the TD Decision brought us back to the principles of the CIBC Decision, re-establishing a balance focused on accountability and openness in light of the central importance of processing arrangements in the digital economy.

The Legislative Reforms of CPPA

CPPA is welcome news for organizations, as it continues the long-established practices now dating back 15 years to the CIBC Decision, while providing more clarity by explicitly including guidance within the body of the proposed Act, as opposed to hints in a Model Code. CPPA explicitly allows organizations to transfer an individual’s personal information to a service provider for processing without their knowledge or consent, and does not distinguish between service providers inside or outside Canada.

While CPPA does not require organizations to obtain an individual’s consent to transfer their personal information to a service provider inside or outside Canada, it imposes other accountability-based obligations on organizations aimed at ensuring personal information is sufficiently protected, similar to those under PIPEDA. Namely:

  • An organization is always accountable for the personal information in its control, such as the information it collects from individuals. This includes where the organization transfers personal information to a service provider, regardless as to whether such transfer is cross-border (s. 7 of CPPA).
  • Where an organization transfers personal information to a service provider inside or outside Canada, it must ensure through contractual means or otherwise that the service provider provides substantially the same protection for the personal information as that which the organization is require to provide under CPPA (s. 11(1) of CPPA).
  • An organization is required to disclose to individuals whether it carries out cross-border transfers or disclosures of personal information that may have reasonably foreseeable privacy implications (s. 62(2)(d) of CPPA).
  • Service providers who process personal information on behalf of others are not subject to most obligations under CPPA. But they are subject to all of the CPPA obligation if they collect, use or disclose the personal information for any purpose other than the purposes for which the information was transferred (s. 11(2)). This will lead to interesting discussions for larger service providers, who currently may seek to whittle down purpose limitation clauses in their contract negotiations so that they can “improve their product or service” or engage in other uses for their own benefit.

Another Potential Source of Concern: Cross-Border Transfers of Personal Information under Quebec’s Bill 64

Quebec is also in the process of reforming its private sector privacy legislation. Bill 64, which was introduced in July 2020 and is currently being reviewed as part of public consultations, would put in place requirements related to cross-border transfers of personal information for processing that are far more stringent than those under PIPEDA or CPPA.

Under the first reading version of Bill 64, before transferring personal information cross-border – even to another province – organizations must conduct a privacy impact assessment to evaluate whether the personal information would receive a level of protection “equivalent” to that provided in Quebec, in the other jurisdiction. As part of this assessment, organizations would be required to consider the sensitivity of the personal information, purposes for which it would be used, applicable protection measures, as well as “the legal framework applicable in the [jurisdiction] in which the information would be released, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Quebec”. The personal information cannot be released unless the assessment establishes that the information would “receive protection equivalent to that afforded under this Act”. Even if the organization determines the legal framework applicable is satisfactory, any transfer must be subject to a written agreement mitigating any risks identified during the privacy impact assessment.

“Equivalency” connotes an even stronger flavour than the GDPR’s “adequacy” regime, discussed below, leaving open the question of whether a strong but conceptually distinct legal regime would meet the standards of Bill 64. Given the penalties associated with failure to comply with Bill 64, this is not a purely academic question.

The requirement to conduct a privacy impact assessment before transferring personal information to third party service providers outside Canada for processing may be particularly challenging for less sophisticated or less capitalized organizations that depend on the efficiencies and security benefits of cloud-based third party service providers, but cannot carry out sophisticated legal due diligence to gauge the equivalency of another country’s or province’s legal regime.

Cross-Border Transfers of Personal Information under the GDPR

For comparison purposes, the European Union’s General Data Protection Regulation (the “GDPR”) approach to cross-border transfers of personal information is more stringent than the approach under PIPEDA and CPPA, but, arguably, less stringent than the approach under Bill 64.

While the default position under PIPEDA and CPPA allows organizations to transfer personal information cross-border, the default position under the GDPR, like under Bill 64, does not allow organizations to transfer personal information cross-border, except to jurisdictions that the European Commission (the “EC”) has determined afford “adequate” protection to personal information (an “adequacy decision”).

However, unlike Bill 64, the GDPR ensures that organizations are not altogether prohibited from transferring personal information to a jurisdiction for which the EC has not issued an “adequacy decision”. Instead, an organization must simply enter into a set of “Model Clauses” with the organization in the other jurisdiction, to ensure that the personal information transferred cross-border receives adequate protection.

Tips for Businesses

While CPPA has yet to be passed as legislation, organizations can take a number of preemptive steps to ensure that they are in compliance with CPPA, if enacted: 

  • Understanding Location of Personal Information: Businesses should confirm whether they, or any service providers to which they transfer personal information, process personal information outside Canada. This may include confirming where service providers are located and where they store personal information.
  • Disclosing Cross-Border Transfers of Personal Information in Privacy Policies: Businesses should ensure they disclose whether they transfer personal information cross-border in their privacy notices, including:
    • the jurisdictions in which personal information may be transferred;
    • the possibility that such other jurisdictions may not as stringently protect personal information; and
    • that personal information may be accessible by law enforcement, national security bodies, courts, litigants, or other governmental bodies in such jurisdictions.
  • Ensuring Sufficient Protection for Personal Information Transferred Across Borders: Businesses should confirm they are requiring, by contractual or other means, that the service providers to which they transfer personal information cross-border are providing the level of protection required by CPPA. This can be accomplished by:
    • reviewing and updating template agreements that involve cross-border transfers of personal information to third party service providers for processing, such as software-as-a-service or other service agreements, to ensure they provide for a “comparable level of protection” for personal information. While the specific contractual and other measures needed to ensure such “comparable level of protection” will vary based on the nature of the services being provided by the third party service provider, template agreements should include provisions focused on maintaining accountability, including the following:
      • clear purpose limitations;
      • security standards;
      • confidentiality;
      • rights of access and audit rights;
      • data breach notification and cooperation procedures;
      • complaint procedures;
      • applicable law clauses that track changes in law;
      • data residency;
      • destruction of the information at expiration or termination of the agreement; and
      • clear delineation of control of the personal information being processed.
    • In the TD Decision, which dealt with information of considerable sensitivity, the OPC noted the following non-contractual measures implemented by TD:
      • risk assessment prior to entering into the contract;
      • employee background assessment and monitoring;
      • employee policies and training;
      • work environment controls;
      • access and other cybersecurity controls;
      • proactive monitoring and enforcement of contractual obligations; and
    • confirming that, under existing agreements or templates, any organization to which the business transfers personal information cannot transfer such personal information to another jurisdiction without the business’ consent.

To follow the updates, subscribe to TechLex (below) or contact our Cyber/Data Group for assistance on navigating this complex new regime.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address