Wendy J. Wagner
Partner
Co-leader, National Cyber Security & Data Protection Group; Head, International Trade & Customs
Article
On April 9, 2019, Canada's Office of the Privacy Commissioner of Canada (OPC) announced fundamental changes to its long established position on cross-border data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). A public consultation is open until June 28, 2019.
The OPC's longstanding position, as set out in its 2009 Guidelines for Processing Personal Data Across Borders, was that PIPEDA does not require additional consent for an organization to transfer personal information to a service provider, whether located in Canada or in another jurisdiction. Rather, the guidelines explained, PIPEDA requires consent to the purpose for which the information is processed. In accordance with the accountability principle underlying PIPEDA, the transferring organization was held accountable for the information in the hands of the organization to which it had been transferred. A data transfer for processing to a third party was considered to be a "use" of the information, rather than a "disclosure". Accordingly, assuming the information was being used for the purpose for which it was originally collected, additional consent for the transfer, as opposed to the processing, was not required.
In stark contrast to its previously held approach, the OPC now suggests that prior consent is required for all "disclosures" of information between organizations, including transfers between organizations and their service providers, and that such transfer is now considered to be a "disclosure" rather than a "use" of the information. The proposal apparently would apply to all transfers, whether made between organizations within Canada or made cross-border, but cross-border transfers appear to be a specific focus of the consultation. For example, the proposal appears to suggest that in the case of cross-border transfers, the organization must inform the individual of options available to them if they do not wish to have their personal information disclosed across the border, and choices must be made available "for any collection, use or disclosure that is not necessary to provide the product or service."
The rationale for this complete reversal is unclear, and appears to be at least partially influenced by the European regime under the GDPR while ignoring major differences between the GDPR and PIPEDA with respect to cross-border transfers. In particular, a key distinction between the OPC's proposal and GDPR is that under the GDPR, consent for data transfers will not be always be required, including where the data transfer is necessary for the performance of a contract between the individual and the organization taken at the individual's request.
The proposed changes fly in the face of the established approach to data transfers under other Canadian privacy laws. For example, most health privacy laws, including those deemed "substantially similar" to PIPEDA such as Ontario's PHIPA, explicitly treat the sharing of information with an agent or service provider as a "use" of information by the custodian, rather than a "disclosure" to a third party that would require additional consent. Should the OPC adopt the opposite interpretation with respect to PIPEDA, organizations may find themselves subject to conflicting rules and obligations. Further, individuals may find themselves facing increasingly voluminous consent language, as information that has long been disclosed via open and clearly written privacy policies is loaded into summary disclosures made in addition to disclosing purposes of the processing to which the individual is asked to consent.
The change in the OPC's position appears to ignore a multitude of potential practical challenges for organizations, including but not limited to:
It is imperative that stakeholders participate in the consultation prior to June 4, 2019 in order to fully address the numerous practical concerns that are certain to arise in response to the OPC's new position.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.