Last week the Office of the Privacy Commissioner of Canada (the “OPC”) launched a “Consultation on transborder dataflows” (the “Consultation”), in which it proposes to totally reverse its policy position on cross-border data transfers by organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In the absence of an applicable exception under PIPEDA, the OPC’s revised view is that the transfer of personal information for processing, including a cross-border data transfer or the transfer of personal information to an affiliated corporation, is a “disclosure” of personal information that requires consent.
The OPC’s new proposal is a departure from its previous position. Up until the release of the Consultation and the OPC’s accompanying report of findings in its investigation into the 2017 Equifax breach (the “Equifax Report”), the OPC’s policy position has been that a transfer of personal information for the purpose of processing is a “use” rather than a “disclosure” of personal information. The implication of such a transfer being a “use” is that transferring organizations are required to provide notice to affected individuals, while the main implication of that transfer being a “disclosure” is that the organization requires consent of the individual for the transfer.
The reason given by the OPC for this policy change is that under PIPEPA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. Since “nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements”, the OPC’s updated view is that, “as a matter of law, consent is required”.
The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements. It is seeking input on its updated policy position, as well as on specific areas for which related guidance would be most needed. Comments are due by June 4, 2019.
The cross-border disclosure of personal information, including for processing, requires consent
The Consultation also highlights the importance of obtaining meaningful consent. For consent to be valid, organizations must provide individuals with clear information regarding any disclosure to a third party, including instances when they are located in another country, and the associated risks.
In determining whether express or implied consent is appropriate, companies should consider the sensitivity of the information and the individuals’ reasonable expectations in the circumstances; underlying both should be a consideration of the risk of harm to the individual. The OPC notes that “where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied”. In the OPC’s view, “individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”
Individuals must be informed of any options available if they do not consent to cross-border disclosures of their personal information
Individuals must be provided with clear and adequate information about the nature, purpose and consequence of any cross-border disclosure of personal information, so they can make an informed decision about whether to consent to the disclosure. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure. However, where the transfer for processing is “integral to the delivery of a service”, organizations are not obligated to provide an alternative.
The OPC did not specify a test for what is “integral to the delivery of a service”.
When disclosing personal information to a third party for processing, a company does not relinquish control of the information
An organization that transfers personal information for processing will generally remain accountable for the personal information as the “controller”. The Consultation notes that determining which organization has personal information “under its control” can be complex and must be assessed on a case-by-case basis. The OPC will look at factors such as contractual arrangements, commercial realities, evolving business models and shifting roles when determining which organization “controls” the personal information. As is currently the case, the controller will still be required to use contractual or other means to provide a comparable level of protection while the information is being processed.
The OPC’s finding about the Equifax breach illustrates this accountability.
The OPC also found that “to determine the appropriate levels of controls, consideration must be given to both the scope and sensitivity of personal information being handled”. In some cases “where the third party is closely affiliated and the personal information being handled is of limited scope and sensitivity, it may be possible to rely on light controls and pre-existing, adequate, policies and practices of the third party” to fulfil the accountability obligations of the controller. However, where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the level of controls should be “commensurately high”, including at a minimum: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Ultimately, the OPC concluded both Equifax Inc. and Equifax Canada contravened PIPEDA due to: (a) inadequate data protection safeguards by both companies; (b) inadequate accountability by Equifax Canada with respect to Canadian data processed by Equifax Inc.; and (c) the failure of Equifax Canada to obtain valid consent from individuals whose personal information was transferred to Equifax Inc. for processing and was eventually compromised.
Implications for Businesses
The OPC’s shift in its position suggests a progression in aligning PIPEDA with the European Union’s General Data Protection Regulation and Canada’s international trade obligations. In setting out its revised policy position on cross-border data transfers, the OPC notes “organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process.” While “individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation)”, at the same time “organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”
As data transfers for processing are now considered third-party disclosures, regardless of whether the transfer is to a third party or an affiliate company, organizations should re-examine their consent processes and privacy policies. To obtain valid consent, organizations should provide clear and adequate information about the nature, purpose and consequence of any transfer of personal information to a third party, including instances when they are located in another country, and the associated risks. Where the information will be disclosed outside of Canada, individuals should be informed their personal information may be subject to the legal regime of another country. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure.
Companies should also ensure they enter into data processing agreements that impose sufficiently robust obligations on recipient organizations, including for intercompany transfers of personal information between affiliated entities. Where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the parties should have in place: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Dispute ResolutionDecisions earlier this year from the English courts in ClientEarth v Shell Plc et al., and the recent appeal decision from the Court of Appeal of England and Wales, shed light on climate change issues…
Intellectual PropertyAs of January 1, 2024, the Canadian Intellectual Property Office (CIPO) will be increasing most of its fees by 25%. Filing fees, renewal fees, opposition filing fees, as well as fees for initiating…
Dispute ResolutionIn Best Lawyers’ recent 2023 Business Edition, Peter Kolla explores justiciability, and other limitations Canadian Courts face when trying climate change cases. Excerpt from "The Climate…
Downstream GHG Emissions and Sierra Club Canada Foundation v Canada (Environment and Climate Change)The Federal Court’s recent decision in Sierra Club Canada Foundation v. Canada (Environment and Climate Change) highlights the continuing focus in Canada on climate change litigation. The case…
Dispute ResolutionThe Superior Court of Justice has now released its decision in Mathur v. Ontario, a case we wrote about earlier this year and which is now a further example of an unsuccessful claim against a…
Force Majeure and COVID-19 – Appeal Decision in Niagara Falls Shopping Centre Inc. v. LAF Canada CompanyAlthough it has been three years since the COVID-19 pandemic hit Canada with full force in March 2020, the courts continue to address the fallout. In November 2022, we published a case update about a…
Mergers and AcquisitionsGoodmans LLP acted for Playmaker Capital Inc. in connection with its agreement to be acquired by Better Collective A/S…
Construction and InfrastructureGoodmans LLP acted for HB Construction Co. in respect of the construction of a mine in New Brunswick. The litigation relates to a claim in respect of the installation of mechanical and electrical…
Mergers and AcquisitionsGoodmans LLP acted for McCain Capital Partners in connection with its acquisition of Forest City Fire Protection. Forest City Fire Protection will now unite with Classic Fire Protection (another…
RestructuringGoodmans LLP acted for the Ad Hoc Committee of Lenders of Cirque du Soleil Entertainment Group in connection with the successful closing of a sale transaction and its emergence from creditor…
Mergers and AcquisitionsGoodmans LLP represented Delivra Corp. in connection with its arrangement transaction with Harvest One Cannabis Inc., pursuant to which Harvest One acquired all of the issued and outstanding shares of…
Mergers and AcquisitionsGoodmans LLP acted for Newmont Mining Corporation (NYSE: NEM) (Newmont or the Company) in connection with its agreement to acquire all of the outstanding common shares of Goldcorp Inc. (NYSE: GG, TSX…
News & Events
Dispute ResolutionWe are delighted to announce the Lexpert Special Edition: Litigation 2023 once again features Goodmans partners among Canada's experts in litigation.Congratulations to our 13 featured…
Dispute ResolutionIn an article published by Lexpert, David Conklin shares his insight in "High bar for class actions". “I hate to say this – it started with me 10 years ago – but defence counsel…
Dispute ResolutionGoodmans is pleased to congratulate Tamryn Jacobson and Bradley Wiffen who have been honoured as two of Lexpert® Rising Stars: Leading Lawyers Under 40 for 2023.Tamryn Jacobson is a partner in the…