The Office of the Privacy Commissioner of Canada (OPC) has released a for its consultation on transborder dataflows, providing further background as follows: "Our change in position is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law. During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a "disclosure" is debatable and likely not correct as a matter of law. . . As such, it seems to us that the activity in question is at least a "disclosure" between the responsible organization and the third party (and possibly also a use for the responsible organization). To conclude that the activity is not a disclosure seems to us, with respect, to be an interpretation that is inconsistent with PIPEDA. As a result, an organization must, in accordance with Principle 4.3, obtain consent for a transfer to a third party for processing, including for transborder transfers." The OPC supplementary discussion document also sets out questions for stakeholders, including:
- In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
- Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
- What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC's Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
- In what circumstances should consent be implicit or explicit?
- What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
- Should the notice to the affected person name the third parties?
- Should the notice contain other pieces of information?
- Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
- If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
- What elements should be included in obtaining consent for transfers for processing that are not transborder?
- Do you think the proposed interpretation of PIPEDA is consistent with Canada's obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
The deadline for responses to the OPC's consultation is June 4, 2019.