A high profile data breach involving a US company, Equifax Inc.[i], and its Canadian subsidiary, Equifax Canada Co., along with the coming into force of the European Data Protection Regulation (“GDPR”), appear to be the driving forces behind the Office of the Privacy Commissioner of Canada’s (the “OPC”) recent decision to review and, potentially, significantly change the manner in which cross-border “transfers” of personal information will be treated under Canadian privacy law. In a document that was released on April 9, 2019, the OPC has signalled that it will no longer view a “transfer” of personal information as a “use” but rather as a “disclosure” under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), imposing significant restrictions and additional organizational obligations on cross-border data transfers. The OPC has commenced a public consultation process on this issue, which is to conclude June 4, 2019.

Background

Cross-border transfer of personal information is a vitally important topic for many organizations active in Canada, the United States, the European Union, and elsewhere. As the European Commission recognizes, “it is essential these days to be able to also transmit data to third countries.” Under the European Data Protection Regulation (“GDPR”), transfers of data outside of the European Economic Area (“EEA”) require consent and can only occur if data is transferred to a jurisdiction that has “adequacy status” or there is another permissible mechanism, such as the US Privacy Shield or “Binding Corporate Rules.” Canada is one of the countries that is considered to have adequate protection under PIPEDA so that transfers from Europe to Canada are legal without the need for additional mechanisms, such as the Privacy Shield, to be put into place.

Prior to the Equifax investigation, the OPC’s official position on cross-border transfers of personal information was set out in its 2009 Guidelines for Processing Personal Data Across Borders (the “Guidelines”). Under the Guidelines, the OPC acknowledged that PIPEDA does not establish rules governing transfers of personal data for processing. It was the OPC’s position that information flowing between affiliated organizations or to a third party for processing constituted a “use” of information, rather than a “disclosure” of personal information. Provided that the information was being used for those purposes for which it was originally collected, additional consent for the transfer to the third party was not required. Importantly, this approach allowed Canadian entities to outsource data-processing activities to other jurisdictions and/or share personal data with affiliated corporations in other jurisdictions without the need to obtain additional consent.

However, on April 9, 2019, the OPC released a position document on how trans-border and intercompany transfers of Canadian personal information are handled. The OPC takes the position that the transfer of personal information between affiliated organizations or to a third party for processing should be considered a “disclosure” rather than “use” of information and that, consequently, such “disclosures” require meaningful consent.

It would no longer be sufficient to simply include a notice in an organization’s privacy policy that personal data may be stored in a different jurisdiction and be subject to that jurisdiction’s privacy laws. Organizations that process personal information about Canadians in other countries will now have to meet a higher standard to ensure that they have complied with the requirement to obtain meaningful consent from those individuals to process or store their personal data outside of Canada. Also, the form of consent required for trans-border and intercompany transfers of personal information is assessed based on an analysis of: (i) the sensitivity of the information; and (ii) the reasonable expectation of the discloser. Another factor which informs this analysis is the risk of harm to an individual. Where there is a material risk of harm, express consent, rather than implied consent, is required.

Practical Considerations

Not only does the revised position materially alter the established Canadian approach to cross-border data transfers under Canadian law, it also entails several practical considerations for organizations, including the following:

  • Current web privacy policies and other aspects of current privacy programs in general may no longer be adequate to comply with the new approach.
  • Procedures and consent mechanisms may need to be altered or implemented to obtain the consent required when engaging in trans-border data transfers to third party service providers as well as to affiliated companies located outside of Canada.
  • Supplier and other agreements (e.g. data processing agreements) may require review.
  • Certain sectors, such as E-Commerce, will be especially impacted.
  • The additional consent requirements for cross-border data transfers may create unintended trade consequences: the additional consent requirements may be viewed as a non-tariff barrier to trade, given that such additional consent requirements could be regarded as more onerous than those actually required to adhere to local privacy policies.

Given the significant impact on organizations located in Canada or that process Canadian data, stakeholders are encouraged to participate in consultation with their professional advisors on this topic prior to June 4, 2019.