In April of this year, the Office of the Privacy Commissioner of Canada (OPC) announced that it would be revisiting its 2009 guidelines for processing personal data across borders (the “Guidelines”), and invited submissions from stakeholders as part of a consultation process regarding the Guidelines. Read our previous blog about this reconsideration and consultation.
The Guidelines provided that personal information could be transferred outside of Canada for storage and processing, provided that certain conditions were met – including, for example, that information is protected with appropriate safeguards, and that individuals are provided with appropriate notice that their personal information is stored in, and may be subject to the laws of, that other jurisdiction.
In revisiting the Guidelines, the OPC indicated that it was considering introducing new requirements applicable to storage and processing of personal information outside of Canada, including:
- A requirement to obtain consent from individuals before their personal information is transferred outside of Canada (including for storage or processing by third-party service providers).
- A requirement to inform individuals of options available to them if they do not wish to have their personal information transferred outside of Canada.
- A requirement to ensure that organizations maintain control of personal information transferred to a third party for processing.
During the consultation period, the OPC received 87 submissions from stakeholders, with many raising similar concerns regarding these proposed requirements.
Of those concerns, commonly raised was the fact that there is no requirement pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent to transfer personal information for processing, with the result that making this a requirement would pose significant challenges for organizations seeking to remain privacy-compliant.
On September 23, 2019, the OPC announced that it is restoring its 2009 position on data transfers for processing, and that the Guidelines will therefore remain unchanged.
Accordingly, the OPC has opted to maintain the status quo unless and until existing legislation is changed at some point in the future. However, the OPC reiterated the need for organizations to be transparent regarding how they handle personal information, and to inform the individuals regarding whom they collect or hold personal information that such information may be transferred outside of Canada for processing.
We will be watching for further developments regarding the position of the OPC with respect to transborder data flows and modernization of PIPEDA with interest.