Privacy Commissioner Retains Original Policy on Cross-Border Transfers of Personal Information
The Office of the Privacy Commissioner of Canada (OPC) announced yesterday that it concluded its “Consultation on transborder dataflows” (the “Consultation”) and determined that its 2009 Guidelines for processing personal data across borders (the “2009 Guidelines”) will remain unchanged under the current law. This means that a cross-border transfer of personal information for the purpose of processing will continue to be regarded as a “use” and not a “disclosure” of personal information. Transferring organizations can continue to provide notice to affected individuals of cross-border transfers of personal information, rather than seek their consent to the transfer.
As we noted in our April 15, 2019 Update, Privacy Commissioner Reverses its Position on Cross-Border Transfers of Personal Information, the position taken by the OPC in its Consultation, that consent may be required for transfers of personal information for processing, represented a total reversal of its 2009 Guidelines. The proposal was met with much opposition from stakeholders, with the vast majority taking the position that there is no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.
As such, the OPC stated it is “applying a pragmatic approach in determining that it will maintain the status quo until the law is changed”. The OPC will instead focus its efforts on developing recommendations, in response to the federal government’s proposed modernization of PIPEDA1, on how a future law could address transfers for processing and transborder data flows to effectively protect privacy.
The OPC has taken the opportunity to remind businesses of the legal requirement to be transparent about personal information handling practices. Organizations should advise customers that their personal information may be sent to another jurisdiction for processing and that, while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
The OPC also expects organizations to continue to apply its Guidelines for obtaining meaningful consent to allow individuals to make informed decisions by emphasizing key elements in their privacy notices: what personal information is being collected; with whom personal information is being shared; for what purposes personal information is collected, used or disclosed; and any residual meaningful risk of harm or other consequences.
1 On May 21, 2019, the federal government announced its Digital Charter and published a related white paper entitled Strengthening Privacy for the Digital Age, which includes considerations for amending PIPEDA.
Expertise
Authors
Insights
-
Privacy and Data Protection
B.C. Court Rules Facebook Liable for Privacy Violations in Class Action
Another chapter in the now decade-long saga of Douez v. Facebook was penned earlier this month as a British Columbia Court found Facebook liable for providing advertisers access to users… -
Technology
Technology Sourcing 2021 - Canada Chapter
Richard Corley, Jessica Bishop and Peter Ruby co-authored the 1st edition of the International Comparative Legal Guide - Technology Sourcing 2021, Canada chapter. The Canada chapter covers common… -
Banking and Financial Services
Federal Government Releases Draft Retail Payments Activities Act
On April 30, as part of the 2021 federal budget, Canada’s Deputy Prime Minister and Minister of Finance (the “Minister”) introduced Bill C-30, An Act to implement certain provisions of the budget… -
Dispute Resolution
Federal Privacy Regulation 2.0: Now with Bite and Bark
This week, the Canadian Federal Minister of Innovation, Science and Industry introduced for first reading in Parliament Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal… -
Class Actions
Clarity Emerging in Data Breach Class Actions and the Risks Are High
A recent decision of the Ontario Superior Court suggests that judges are increasingly willing to certify class actions brought in respect of data breaches. That willingness, when combined with the… -
Dispute Resolution
Privacy Commissioner of Canada Rules on Loblaw Gift Card Program
Last week, the Privacy Commissioner of Canada determined that Loblaw Companies Ltd. initially collected more personal information than it needed with respect to the $25 Loblaw gift cards it made…
Featured Work
-
Mergers and Acquisitions
Group led by Michael Andlauer buys Ottawa Senators
Goodmans LLP is acting for an entity controlled by Michael Andlauer in its agreement to purchase the Ottawa Senators Hockey Club from the Melnyk Estate. The Ottawa Senators are one of seven NHL… -
Mergers and Acquisitions
Ceridian Acquires Ideal
Goodmans LLP acted for Ideal, a leading talent intelligence software provider based in Toronto, Ontario in connection with its acquisition by Ceridian…
News & Events
-
Banking and Financial Services
The Canadian Legal Lexpert Directory 2023 Continues to Recognize Goodmans
We are proud to announce we have once again been recognized in The Canadian Legal Lexpert Directory 2023.85 Goodmans lawyers have been recognized as top-tier in their fields and leaders across… -
Privacy and Data Protection
Peter Ruby featured in "Canadian privacy proposal mixes elements of GDPR and CCPA", Global Data Review
Peter Ruby was recently interviewed by Global Data Review on Canada's new proposed data privacy legislation.Ruby currently has had “virtually no” power to issue penalties, but this bill would… -
AI
Peter Ruby moderates the World Law Group Webinar: Artificial Intelligence and Intellectual Property Challenges
Hosted by the World Law Group's Intellectual Property and Information Technology Group, Peter Ruby will moderate the webinar "Artificial Intelligence and Intellectual Property Challenges".The panel…