On April 9, 2019, Canada's Office of the Privacy Commissioner of Canada (OPC) announced fundamental changes to its long established position on cross-border data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). A public consultation is open until June 28, 2019.
New prior consent requirement for data transfers
The OPC's longstanding position, as set out in its 2009 Guidelines for Processing Personal Data Across Borders, was that PIPEDA does not require additional consent for an organization to transfer personal information to a service provider, whether located in Canada or in another jurisdiction. Rather, the guidelines explained, PIPEDA requires consent to the purpose for which the information is processed. In accordance with the accountability principle underlying PIPEDA, the transferring organization was held accountable for the information in the hands of the organization to which it had been transferred. A data transfer for processing to a third party was considered to be a "use" of the information, rather than a "disclosure". Accordingly, assuming the information was being used for the purpose for which it was originally collected, additional consent for the transfer, as opposed to the processing, was not required.
In stark contrast to its previously held approach, the OPC now suggests that prior consent is required for all "disclosures" of information between organizations, including transfers between organizations and their service providers, and that such transfer is now considered to be a "disclosure" rather than a "use" of the information. The proposal apparently would apply to all transfers, whether made between organizations within Canada or made cross-border, but cross-border transfers appear to be a specific focus of the consultation. For example, the proposal appears to suggest that in the case of cross-border transfers, the organization must inform the individual of options available to them if they do not wish to have their personal information disclosed across the border, and choices must be made available "for any collection, use or disclosure that is not necessary to provide the product or service."
The rationale for this complete reversal is unclear, and appears to be at least partially influenced by the European regime under the GDPR while ignoring major differences between the GDPR and PIPEDA with respect to cross-border transfers. In particular, a key distinction between the OPC's proposal and GDPR is that under the GDPR, consent for data transfers will not be always be required, including where the data transfer is necessary for the performance of a contract between the individual and the organization taken at the individual's request.
Major departure from Canadian privacy laws
The proposed changes fly in the face of the established approach to data transfers under other Canadian privacy laws. For example, most health privacy laws, including those deemed "substantially similar" to PIPEDA such as Ontario's PHIPA, explicitly treat the sharing of information with an agent or service provider as a "use" of information by the custodian, rather than a "disclosure" to a third party that would require additional consent. Should the OPC adopt the opposite interpretation with respect to PIPEDA, organizations may find themselves subject to conflicting rules and obligations. Further, individuals may find themselves facing increasingly voluminous consent language, as information that has long been disclosed via open and clearly written privacy policies is loaded into summary disclosures made in addition to disclosing purposes of the processing to which the individual is asked to consent.
Implications for organizations
The change in the OPC's position appears to ignore a multitude of potential practical challenges for organizations, including but not limited to:
- navigating the conflicting requirements of vastly divergent privacy regimes in different sectors and jurisdictions across the country, in particular with respect to the processing of personal health information;
- creating workable policies and procedures to obtain meaningful individual consent for cross-border data transfers to each new service provider; and
- revising privacy policies and procedures recently updated in compliance with the new Guidelines for Obtaining Meaningful Consent to account for a vast number of situations in which additional informed consent would have to be obtained from existing clients and business partners for transfers of information for processing - even in cases where clear individual consent for the processing itself has already been obtained.
It is imperative that stakeholders participate in the consultation prior to June 4, 2019 in order to fully address the numerous practical concerns that are certain to arise in response to the OPC's new position.