On June 11, 2019, the Office of the Privacy Commissioner of Canada (OPC) issued a “reframed” discussion document in respect of its prior consultation on transfers for processing announced on April 9, 2019. Readers may recall that the April 9th consultation document proposed that transfers of personal information to service providers for processing should be subject to the data subjects’ consent. This proposal reversed a decade of settled guidance from the OPC advising organizations that transfers of personal information to service providers amounted to a “use” of personal information rather than a disclosure and that organizations would be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) if they met their “accountability” obligations in respect of this transferred information.
Since the announcement of the OPC’s April 9th consultation, the Minister of Innovation, Science and Economic Development issued the federal government’s Strengthening Privacy for the Digital Age whitepaper in which he announced the federal government’s intention to review PIPEDA and to potentially propose sweeping changes to modernize the legislation. The whitepaper took a different approach from that of the OPC with respect to transfers for processing, suggesting that the government might actually move away from reliance upon the requirement for consent in the case of common commercial practices or trust environments and instead institute a system of reliance upon organizations demonstrating their accountability for the protection of personal information under their control.
The OPC’s latest consultation document seems to be walking back the original OPC April 9th consent-based proposal by suggesting that the way forward is instead to adopt a system of standard contractual clauses to protect personal information transferred for processing, bolstered by a level of pro-active review by an independent public authority such as the OPC. In this latest iteration of its call for comments, the OPC also advanced the following discussion points in relation to transborder data flows, some of which argue in favour of the concept of obtaining consent and some of which support applying the accountability principle:
- The meaning of the word “transfer” in PIPEDA must reflect Parliament’s intention and is more likely a “disclosure” (which requires consent) when read within the entire context of the statute and in the grammatical and ordinary sense of the word.
- No one principle in PIPEDA operates to the exclusion of the others. As a result, how could the OPC maintain the position that, in “transfers for processing” situations, the accountability principle applies to the exclusion of the consent principle? (Note that, by previously categorizing transfers for processing as “uses” of personal information, this in fact is the position that the OPC has been maintaining since 2009.)
- The Asia-Pacific Economic Cooperation Privacy Framework, of which Canada is a member, is a voluntary, accountability-based system designed with the goal of continued free flow of information, while maintaining meaningful protection for privacy and security of personal information.
- The OPC’s 2009 guidance document on processing of personal information by third parties highlighted the importance of organizations being transparent in their personal information handling practices and in advising people at the time of collection that their personal information may be sent to another jurisdiction for processing where it may be accessed by the courts, law enforcement and national security authorities. The OPC seems to now be saying that these transborder data transfers must be highlighted when obtaining consent and indicated that it is open to the concept of considering implied consent in these situations, provided that sufficient disclosure is given concerning the scope and particulars of the data transfer.
This latest consultation document also attempts to draw a distinction between everyday transborder data flows and extreme situations in which the transborder flow of information about the exercise of legal activities by persons in Canada could potentially used against them, especially where those activities are not legal in the processing jurisdiction or the individual’s personal information does not enjoy the same level of protection in the processing jurisdiction as it does in Canada. The document cites the examples of the transfer of information about a person’s legal purchase and use of cannabis in Canada, as well as transfer of information about a person’s donations to political or religious causes. In these extreme cases, the OPC appears to be saying that some type of consent is warranted.
With the release of the federal government’s whitepaper and the OPC’s reanimated call for submissions on cross border data transfers, it is clear that privacy law in Canada will be modernized in the near future. We will continue to monitor these developments as they occur.
The call for submissions closes on August 6, 2019. Please contact our Information Technology & Data Privacy Group if you would like further information.