Last week the Office of the Privacy Commissioner of Canada (the “OPC”) launched a “Consultation on transborder dataflows” (the “Consultation”), in which it proposes to totally reverse its policy position on cross-border data transfers by organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In the absence of an applicable exception under PIPEDA, the OPC’s revised view is that the transfer of personal information for processing, including a cross-border data transfer or the transfer of personal information to an affiliated corporation, is a “disclosure” of personal information that requires consent.
The OPC’s new proposal is a departure from its previous position. Up until the release of the Consultation and the OPC’s accompanying report of findings in its investigation into the 2017 Equifax breach (the “Equifax Report”), the OPC’s policy position has been that a transfer of personal information for the purpose of processing is a “use” rather than a “disclosure” of personal information. The implication of such a transfer being a “use” is that transferring organizations are required to provide notice to affected individuals, while the main implication of that transfer being a “disclosure” is that the organization requires consent of the individual for the transfer.
The reason given by the OPC for this policy change is that under PIPEPA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. Since “nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements”, the OPC’s updated view is that, “as a matter of law, consent is required”.
The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements. It is seeking input on its updated policy position, as well as on specific areas for which related guidance would be most needed. Comments are due by June 4, 2019.
The cross-border disclosure of personal information, including for processing, requires consent
The Consultation also highlights the importance of obtaining meaningful consent. For consent to be valid, organizations must provide individuals with clear information regarding any disclosure to a third party, including instances when they are located in another country, and the associated risks.
In determining whether express or implied consent is appropriate, companies should consider the sensitivity of the information and the individuals’ reasonable expectations in the circumstances; underlying both should be a consideration of the risk of harm to the individual. The OPC notes that “where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied”. In the OPC’s view, “individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”
Individuals must be informed of any options available if they do not consent to cross-border disclosures of their personal information
Individuals must be provided with clear and adequate information about the nature, purpose and consequence of any cross-border disclosure of personal information, so they can make an informed decision about whether to consent to the disclosure. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure. However, where the transfer for processing is “integral to the delivery of a service”, organizations are not obligated to provide an alternative.
The OPC did not specify a test for what is “integral to the delivery of a service”.
When disclosing personal information to a third party for processing, a company does not relinquish control of the information
An organization that transfers personal information for processing will generally remain accountable for the personal information as the “controller”. The Consultation notes that determining which organization has personal information “under its control” can be complex and must be assessed on a case-by-case basis. The OPC will look at factors such as contractual arrangements, commercial realities, evolving business models and shifting roles when determining which organization “controls” the personal information. As is currently the case, the controller will still be required to use contractual or other means to provide a comparable level of protection while the information is being processed.
The OPC’s finding about the Equifax breach illustrates this accountability.
The OPC also found that “to determine the appropriate levels of controls, consideration must be given to both the scope and sensitivity of personal information being handled”. In some cases “where the third party is closely affiliated and the personal information being handled is of limited scope and sensitivity, it may be possible to rely on light controls and pre-existing, adequate, policies and practices of the third party” to fulfil the accountability obligations of the controller. However, where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the level of controls should be “commensurately high”, including at a minimum: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Ultimately, the OPC concluded both Equifax Inc. and Equifax Canada contravened PIPEDA due to: (a) inadequate data protection safeguards by both companies; (b) inadequate accountability by Equifax Canada with respect to Canadian data processed by Equifax Inc.; and (c) the failure of Equifax Canada to obtain valid consent from individuals whose personal information was transferred to Equifax Inc. for processing and was eventually compromised.
Implications for Businesses
The OPC’s shift in its position suggests a progression in aligning PIPEDA with the European Union’s General Data Protection Regulation and Canada’s international trade obligations. In setting out its revised policy position on cross-border data transfers, the OPC notes “organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process.” While “individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation)”, at the same time “organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”
As data transfers for processing are now considered third-party disclosures, regardless of whether the transfer is to a third party or an affiliate company, organizations should re-examine their consent processes and privacy policies. To obtain valid consent, organizations should provide clear and adequate information about the nature, purpose and consequence of any transfer of personal information to a third party, including instances when they are located in another country, and the associated risks. Where the information will be disclosed outside of Canada, individuals should be informed their personal information may be subject to the legal regime of another country. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure.
Companies should also ensure they enter into data processing agreements that impose sufficiently robust obligations on recipient organizations, including for intercompany transfers of personal information between affiliated entities. Where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the parties should have in place: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Dispute ResolutionThe COVID-19 pandemic presented businesses with unprecedented challenges. It was inevitable that litigation would follow, and that the courts would be required to interpret familiar contract terms in…
Privacy and Data ProtectionAnother chapter in the now decade-long saga of Douez v. Facebook was penned earlier this month as a British Columbia Court found Facebook liable for providing advertisers access to users…
Dispute ResolutionArbitrators and mediators (“Neutrals”) hired in Ontario do not generally reflect the gender or racial diversity of the demographics of the province or the legal profession. Through this report the…
COVID Fall-Out: Ontario Judge Awards $1.2 Billion in Damages to Target Company in Failed Business CombinationThe Ontario Superior Court of Justice’s recent decision in Cineplex v. Cineworld offers an interesting contrast to the Delaware Court of Chancery’s decision in AB Stable v. MAPS Hotel and Resorts…
Capital MarketsReporting issuers in Canada are subject to governance standards and continuous disclosure obligations under securities laws and stock exchange rules. This Update discusses relevant governance and…
Supreme Court of Canada Holds Pre-filing Claims can be Set Off in Proceedings Under the Companies’ Creditors Arrangement ActIn Montreal (City) v. Deloitte Restructuring Inc., a majority of the Supreme Court of Canada ruled that the Companies’ Creditors Arrangement Act (the “CCAA”) authorizes a court, though only in rare…
Construction and InfrastructureGoodmans LLP acted for HB Construction Co. in respect of the construction of a mine in New Brunswick. The litigation relates to a claim in respect of the installation of mechanical and electrical…
Mergers and AcquisitionsGoodmans LLP acted for McCain Capital Partners in connection with its acquisition of Forest City Fire Protection. Forest City Fire Protection will now unite with Classic Fire Protection (another…
RestructuringGoodmans LLP acted for the Ad Hoc Committee of Lenders of Cirque du Soleil Entertainment Group in connection with the successful closing of a sale transaction and its emergence from creditor…
Mergers and AcquisitionsGoodmans LLP represented Delivra Corp. in connection with its arrangement transaction with Harvest One Cannabis Inc., pursuant to which Harvest One acquired all of the issued and outstanding shares of…
Mergers and AcquisitionsGoodmans LLP acted for Newmont Mining Corporation (NYSE: NEM) (Newmont or the Company) in connection with its agreement to acquire all of the outstanding common shares of Goldcorp Inc. (NYSE: GG, TSX…
RestructuringAlgoma sought and obtained CCAA protection on November 9, 2015 and carried out a sale and investment solicitation process to identify sale and/or investment opportunities in respect of its business…
News & Events
Dispute ResolutionWe are delighted to announce the Lexpert Special Edition: Litigation 2022 once again features Goodmans partners among Canada's experts in litigation.Congratulations to our 13 featured partners:Andrew…
Banking and Financial ServicesWe’re pleased to announce Goodmans was once again named to The Globe and Mail’s Canada’s Best Law Firms list, recognizing the firm as one of the country’s best law firms for 2023.Goodmans was…
Banking and Financial ServicesWe are pleased to announce Goodmans LLP has once again received top tier recognition from The Legal 500 Canada in their 2023 Guide released today. Recognition from The Legal 500 is based on…