Seeking input from interested third parties, the Office of the Privacy Commissioner of Canada (OPC) announced a revision to its policy position on transborder data flow under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) through the recent release of a consultation document (the “Consultation Document”) and a supplementary discussion document.
The key points from the Consultation Document include the following:
- Organizations in Canada that disclose personal information across a border—including for processing—must obtain consent for this transfer.
- Transfers of information for processing require consent as they involve disclosure of personal information from one organization to another.
- For consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including when they are located in another country, and the associated risks.
- When determining the form of consent (express or implied), companies will need to consider the sensitivity of the information and the individual’s reasonable expectations.
- Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders. However, where the transfer of information for processing is integral to the delivery of a service, organizations are not required to provide an alternative.
- The new policy position includes not only cross-border transfers between controllers and processors, but also other cross-border disclosures of personal information between organizations.
The Consultation Document represents a shift in approach from that set out in the OPC’s 2009 Guidelines for Processing Personal Data Across Borders, which provided, among other things, that "a transfer for processing is a "use" of the information; not a disclosure." The change under which cross-border data transfers will be considered a "disclosure" and not a "use" of personal information would help position Canada's privacy rights closer to the European General Data Protection Regulation (GDPR).
In the supplementary discussion document, the OPC set out that the change in its position is based in part on findings from its investigation into Equifax's 2017 data breach. The OPC concluded that "a transfer of personal information between one organization and another clearly fits within the generally accepted definition of 'disclosure'." The supplementary discussion document also states that along with consent, the principles of accountability and openness under PIPEDA apply.
This proposed policy position from OPC has implications with respect to the consent required to transfer an individual’s personal information across a border. Under this new policy direction, further disclosure and express consent may be required to the extent that personal information is being disclosed to a third party in a different jurisdiction. As stated in the supplementary discussion document, the OPC's change in position will "require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers."
To ensure compliance under PIPEDA, organizations should: (i) identify and map how personal information is collected, used/processed, stored, transferred and disclosed, and (ii) assess whether adequate consent has been obtained. This is particularly so given the policy position stated in the Consultation Document.
At this stage, organizations are encouraged to provide comments to the OPC with respect to the Consultation Document by June 4, 2019.