Privacy Commissioner Reverses its Position on Cross-Border Transfers of Personal Information
Last week the Office of the Privacy Commissioner of Canada (the “OPC”) launched a “Consultation on transborder dataflows” (the “Consultation”), in which it proposes to totally reverse its policy position on cross-border data transfers by organizations subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). In the absence of an applicable exception under PIPEDA, the OPC’s revised view is that the transfer of personal information for processing, including a cross-border data transfer or the transfer of personal information to an affiliated corporation, is a “disclosure” of personal information that requires consent.
The OPC’s new proposal is a departure from its previous position. Up until the release of the Consultation and the OPC’s accompanying report of findings in its investigation into the 2017 Equifax breach (the “Equifax Report”), the OPC’s policy position has been that a transfer of personal information for the purpose of processing is a “use” rather than a “disclosure” of personal information. The implication of such a transfer being a “use” is that transferring organizations are required to provide notice to affected individuals, while the main implication of that transfer being a “disclosure” is that the organization requires consent of the individual for the transfer.
The reason given by the OPC for this policy change is that under PIPEPA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. Since “nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements”, the OPC’s updated view is that, “as a matter of law, consent is required”.
The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements. It is seeking input on its updated policy position, as well as on specific areas for which related guidance would be most needed. Comments are due by June 4, 2019.
The cross-border disclosure of personal information, including for processing, requires consent
The Consultation also highlights the importance of obtaining meaningful consent. For consent to be valid, organizations must provide individuals with clear information regarding any disclosure to a third party, including instances when they are located in another country, and the associated risks.
In determining whether express or implied consent is appropriate, companies should consider the sensitivity of the information and the individuals’ reasonable expectations in the circumstances; underlying both should be a consideration of the risk of harm to the individual. The OPC notes that “where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied”. In the OPC’s view, “individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”
Individuals must be informed of any options available if they do not consent to cross-border disclosures of their personal information
Individuals must be provided with clear and adequate information about the nature, purpose and consequence of any cross-border disclosure of personal information, so they can make an informed decision about whether to consent to the disclosure. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure. However, where the transfer for processing is “integral to the delivery of a service”, organizations are not obligated to provide an alternative.
The OPC did not specify a test for what is “integral to the delivery of a service”.
When disclosing personal information to a third party for processing, a company does not relinquish control of the information
An organization that transfers personal information for processing will generally remain accountable for the personal information as the “controller”. The Consultation notes that determining which organization has personal information “under its control” can be complex and must be assessed on a case-by-case basis. The OPC will look at factors such as contractual arrangements, commercial realities, evolving business models and shifting roles when determining which organization “controls” the personal information. As is currently the case, the controller will still be required to use contractual or other means to provide a comparable level of protection while the information is being processed.
The OPC’s finding about the Equifax breach illustrates this accountability.
The OPC found that Equifax Canada remained accountable for the handling of Canadian personal information by Equifax Inc. The OPC determined that for the purposes of personal information handling under PIPEDA, Equifax Inc. is considered a “third party” to Equifax Canada because: (a) they are separately incorporated in different jurisdictions; (b) although both the Privacy Policy and Terms of Use available to Canadians at the time of the breach make reference to the possibility of Equifax Canada partnering with affiliates in the delivery of products, they are separate entities; and (c) Equifax Canada has consistently represented that its Chief Privacy Officer is the designated individual accountable for the handling of personal information by Equifax Canada.
The OPC also found that “to determine the appropriate levels of controls, consideration must be given to both the scope and sensitivity of personal information being handled”. In some cases “where the third party is closely affiliated and the personal information being handled is of limited scope and sensitivity, it may be possible to rely on light controls and pre-existing, adequate, policies and practices of the third party” to fulfil the accountability obligations of the controller. However, where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the level of controls should be “commensurately high”, including at a minimum: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Ultimately, the OPC concluded both Equifax Inc. and Equifax Canada contravened PIPEDA due to: (a) inadequate data protection safeguards by both companies; (b) inadequate accountability by Equifax Canada with respect to Canadian data processed by Equifax Inc.; and (c) the failure of Equifax Canada to obtain valid consent from individuals whose personal information was transferred to Equifax Inc. for processing and was eventually compromised.
Implications for Businesses
The OPC’s shift in its position suggests a progression in aligning PIPEDA with the European Union’s General Data Protection Regulation and Canada’s international trade obligations. In setting out its revised policy position on cross-border data transfers, the OPC notes “organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process.” While “individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation)”, at the same time “organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”
As data transfers for processing are now considered third-party disclosures, regardless of whether the transfer is to a third party or an affiliate company, organizations should re-examine their consent processes and privacy policies. To obtain valid consent, organizations should provide clear and adequate information about the nature, purpose and consequence of any transfer of personal information to a third party, including instances when they are located in another country, and the associated risks. Where the information will be disclosed outside of Canada, individuals should be informed their personal information may be subject to the legal regime of another country. Where the disclosure is not necessary to provide a product or service, individuals must be provided with a clear and easily accessible choice regarding the disclosure.
Companies should also ensure they enter into data processing agreements that impose sufficiently robust obligations on recipient organizations, including for intercompany transfers of personal information between affiliated entities. Where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the parties should have in place: (a) a formal written arrangement, updated periodically and in the case of material changes; and (b) a structured program for monitoring compliance against the obligations laid out in the arrangement that is suitable to the scope and sensitivity of the personal information being handled.
Authors
Insights
-
Litigation and Dispute Resolution
No “Magic Words” Required: Supreme Court of Canada Holds Exclusion Clauses Released Seller From Implied Statutory Conditions
On May 31, 2024, the Supreme Court of Canada released its decision in Earthco Soil Mixtures Inc. v. Pine Valley Enterprises Inc., 2024 SCC 20, which clarifies how contractual exclusion clauses are to… -
Capital Markets
Public Safety Canada Releases Updated Guidance on Modern Slavery Reporting Obligations
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain entities to… -
Crisis Management and Urgent Proceedings
Panoramic Next: Crisis Management 2024 - Canada Chapter
Mark Dunn and Sarah Stothart co-authored the Canada Chapter of Panoramic Next: Crisis Management 2024. Through a series of interviews with expert legal… -
Capital Markets
Modern Slavery Reporting Obligations for Canadian Entities Effective January 1, 2024
The Fighting Against Forced Labour and Child Labour in Supply Chains Act (the “Act”) came into force on January 1, 2024, implementing enhanced reporting requirements for certain companies and… -
Litigation and Dispute Resolution
Director Duties and Climate Change
Decisions earlier this year from the English courts in ClientEarth v Shell Plc et al., and the recent appeal decision from the Court of Appeal of England and Wales, shed light on climate change issues… -
Intellectual Property
Canadian Intellectual Property Office Increases Fees Effective January 1, 2024
As of January 1, 2024, the Canadian Intellectual Property Office (CIPO) will be increasing most of its fees by 25%. Filing fees, renewal fees, opposition filing fees, as well as fees for initiating…
Featured Work
-
Mergers and Acquisitions
Apotex Inc. acquires Searchlight Pharma Inc.
Goodmans LLP advised Apotex Inc. in connection with its acquisition of Searchlight Pharma Inc… -
Shareholder Activism
Browning West achieves landmark victory in Gildan Activewear proxy campaign
Goodmans LLP acted for Browning West, LP in the successful reconstitution of Gildan Activewear’s entire board, culminating in the reinstatement of CEO Glenn Chamandy… -
Capital Markets
Dye & Durham’s defence of requisition from Engine Capital
Goodmans LLP is acting for the board of Dye & Durham in connection with a defence of requisition from Engine Capital… -
Capital Markets
Board of WonderFi Technologies Inc.’s proxy defense from KAOS Capital and Mogo
Goodmans LLP acted for the special committee of the board of WonderFi Technologies Inc in connection with its defense of a proxy contest launched by KAOS Capital and MOGO. KAOS Capital is a… -
Restructuring
LoyaltyOne cross-border restructuring
Goodmans LLP is counsel to KSV Restructuring Inc. in its capacity as court-appointed monitor of LoyaltyOne, Co. in its restructuring proceedings under the Companies’ Creditors Arrangement Act before… -
Mergers and Acquisitions
Coinsquare, WonderFi and CoinSmart close business combination
Goodmans LLP acted for Coinsquare Ltd. in its business combination transaction with WonderFi Technologies Inc. and CoinSmart Financial Inc…
News & Events
-
Intellectual Property
Jenene Roberts at IPIC's Refusals Motions in the Federal Courts – Strategies for IP Lawyers
Join Jenene Roberts on September 10th at 1:00 pm for the Refusals Motions in the Federal Courts – Strategies for IP Lawyers webinar with the Intellectual Property Institute of… -
Litigation and Dispute Resolution
Goodmans Welcomes Julia Martschenko
Goodmans is pleased to announce Julia Martschenko has joined the firm as an associate in the Dispute Resolution Group. Julia will be a terrific addition to our firm.We warmly welcome Julia to… -
Litigation and Dispute Resolution
Goodmans Awarded at the 2024 Benchmark Canada Awards
For the second time in as many months, Goodmans Intellectual Property Group has won multiple awards. We are delighted to share Goodmans has been honoured with two distinguished awards at the…