The Office of the Privacy Commissioner of Canada (OPC)'s report, Personal Information Protection and Electronic Documents Act (PIPEDA) Report of Findings #2019-001, issued April 9, 2019, into the Equifax hack, created controversy as the report suggested that the existing law on the level of consent necessary for Canadian organizations to engage in transborder processing of personal data had changed and that the OPC was now asserting that a new standard of express consent was required.
In para. 111 of the report, the OPC stated "we acknowledge that in previous guidance our Office has characterized transfers for processing as a ‘use’ of personal information rather than a disclosure of personal information. Our guidance has also previously indicated that such transfers did not, in and of themselves, require consent."
The OPC went on and recommended in para. 112 of the report that "Equifax Canada and Equifax Inc. … Seek valid, express consent from any current customers for future disclosures of their information to Equifax Inc."
The circumstances of that case were that the operations of both Equifax entities were highly integrated and information flowed readily from Equifax Canada to the U.S. parent but without formal agreements between the parties and inadequate notification of Canadian customers under the current law.
In the OPC’s 2009 Guidelines for Processing Personal Data Across Borders (the “2009 Guidelines”), the OPC set out two principles:
- Transborder (or cross-border) transfers for processing are subject to the accountability principle. "Principle 1 places responsibility on an organization for protecting personal information under its control. Principle 4.1.3 of Schedule 1 of PIPEDA specifically recognizes that personal information may be transferred to third parties for processing. It also requires organizations to use contractual or other means to ‘provide a comparable level of protection while the information is being processed by the third party.’”
- “‘Transfer’ is a use by the organization. It is not to be confused with a disclosure.” Furthermore, “[a]ssuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required."1
The OPC report in the Equifax decision was a change in position that the OPC suggested "is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law. During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a “disclosure” is debatable and likely not correct as a matter of law. In our view, a transfer of personal information between one organization and another clearly fits within the generally accepted definition of “disclosure”: «make known, reveal» (Canadian Oxford English Dictionary)."2
Given that Canada's economy is highly integrated with that of other nations, and particularly the United States, this development gave rise to concern. Some concerns were that it is was not the function of the OPC to make dramatic changes to the law. That is parliament's role and the legislative process has the benefit of usually considering all facets of an issue before a change is made.
In response to the concerns raised on this new interpretation of the law, the OPC launched a consultation on transborder data flows under PIPEDA. The OPC noted that "Stakeholders have indicated that it would be useful to provide more detailed information with respect to the reasons that have led us to revisit our policy position on this issue". The OPC submitted a supplementary discussion document on June 11, 2019, to further explain the reasons for the change in the law.
Many industry organizations and stakeholders became engaged in this process. The vast majority of the submissions noted that there was no requirement in the law for consent for transborder data flows3, they noted that the present legal regime on accountability was functional and the new interpretation was costly and complex to implement. Many noted that the new interpretation would be contrary to "Canada’s goal of developing a data driven digital economy".
The engagement in the review of the consultation on transborder data flows under PIPEDA concluded on September 23, 2019. The OPC "concluded that its guidelines for processing personal data across borders will remain unchanged under the current law. The OPC will now focus its efforts on how a reformed law can best protect Canadians’ privacy rights when their information is transferred between organizations."
The OPC confirmed that "While the OPC’s position on transfers for processing remains unchanged, we remind businesses of the legal requirement to be transparent about personal information handling practices. Organizations should advise customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities."
The end result confirms that the 2009 Guidelines remain the law. All organizations engaged in transborder data flows are recommended, however, to use the occasion to take a close look at their information handling practices and the adequacy of the arrangements for processing of personal information so that they adequately comply with the law.
1 See OPC "Supplementary discussion document – Consultation on transborder dataflows", June 11, 2019.
2 See OPC "Supplementary discussion document – Consultation on transborder dataflows", June 11, 2019.
3 See OPC, "Commissioner concludes consultation on transfers for processing", September 23, 2019.