Privacy Commissioner Retains Original Policy on Cross-Border Transfers of Personal Information

The Office of the Privacy Commissioner of Canada (OPC) announced yesterday that it concluded its “Consultation on transborder dataflows” (the “Consultation”) and determined that its 2009 Guidelines for processing personal data across borders (the “2009 Guidelines”) will remain unchanged under the current law. This means that a cross-border transfer of personal information for the purpose of processing will continue to be regarded as a “use” and not a “disclosure” of personal information. Transferring organizations can continue to provide notice to affected individuals of cross-border transfers of personal information, rather than seek their consent to the transfer.

As we noted in our April 15, 2019 Update, Privacy Commissioner Reverses its Position on Cross-Border Transfers of Personal Information, the position taken by the OPC in its Consultation, that consent may be required for transfers of personal information for processing, represented a total reversal of its 2009 Guidelines. The proposal was met with much opposition from stakeholders, with the vast majority taking the position that there is no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

As such, the OPC stated it is “applying a pragmatic approach in determining that it will maintain the status quo until the law is changed”. The OPC will instead focus its efforts on developing recommendations, in response to the federal government’s proposed modernization of PIPEDA1, on how a future law could address transfers for processing and transborder data flows to effectively protect privacy.

The OPC has taken the opportunity to remind businesses of the legal requirement to be transparent about personal information handling practices. Organizations should advise customers that their personal information may be sent to another jurisdiction for processing and that, while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.

The OPC also expects organizations to continue to apply its Guidelines for obtaining meaningful consent to allow individuals to make informed decisions by emphasizing key elements in their privacy notices: what personal information is being collected; with whom personal information is being shared; for what purposes personal information is collected, used or disclosed; and any residual meaningful risk of harm or other consequences. 

1 On May 21, 2019, the federal government announced its Digital Charter and published a related white paper entitled Strengthening Privacy for the Digital Age, which includes considerations for amending PIPEDA.