In April, the Office of the Privacy Commissioner of Canada (OPC) published a consultation paper and supplementary discussion document (collectively, the Consultation) regarding cross-border data transfers and other disclosures of personal information between organizations.
Background: In its 2009 Guidelines for Processing Personal Data across Borders (2009 Guidelines), the OPC expressed the opinions that:
- Organizations that transfer personal information to a third party (including a third party in another jurisdiction) are accountable for protecting that personal information and must use contractual or other means to provide a comparable level of protection while that information is being processed by the third party.
- The “transfer” of information is a use by the organization and not to be confused with a disclosure within the meaning of the Personal Information Protection and Electronic Documents Act (PIPEDA). Assuming that the information is being used for the purpose for which it was originally collected, additional consent for such a transfer is not required.
- Organizations should be transparent about their personal information handling practices. Among other things, organizations that might send a customer’s personal information to another jurisdiction for processing should advise customers of this practice, ideally when the information is collected.
The OPC Has Changed Its Mind: During its investigation into the Equifax data breach, the OPC revisited the position set out in (2) above. It has now concluded that a transfer of personal information by one organization to another for processing of that information likely is a “disclosure” within the meaning of PIPEDA. Consequently, the OPC now believes that an organization that wants to transfer information to a third party for processing (including a cross-border transfer) requires consent.
What Does the OPC’s Revised Position Mean for Organizations? Although the OPC is consulting the public on this shift in its guidance and could conceivably change its mind again, we think organizations should treat this new interpretation as being in effect now. After all, this is a change in interpretation, not a change in the underlying law itself.
- Obtain Informed Consent: According to the OPC, an organization that discloses information across a border, including for processing, must obtain consent unless an exemption from PIPEDA applies. The form of content depends on the sensitivity of the information and the risk of harm to the individual.
- If there a meaningful risk of significant harm to the individual from inappropriate use or disclosure of their personal information, the consent should be express, not implied.
- Individuals would reasonably expect to be notified that their information was to be disclosed outside Canada and be subject to another country’s legal regime.
- Individuals should be informed of their options if they do not want their personal information disclosed across borders. If the cross-border transfer of information for processing is integral to the organization’s delivery of a service, the organization will not be expected to provide an alternative. But it will be expected to provide clear and adequate information about the consequences of disclosure of the personal information across the border, so that the individual can make an informed decision whether or not to do business with the organization.
- Accountability: An organization should assess its policies, procedures and contracts, as well as the commercial environment and regulatory framework at home and in the other jurisdiction, to determine whether it has adequate controls in place to mitigate the risks of inappropriate use or disclosure of a customer’s personal information.
- Assess Your Domestic Transfers of Information, Too: Although the Consultation focuses on cross-border data flows, the OPC’s change in policy position is relevant for domestic transfers of information as well, such as transfers to the firm’s service providers. We recommend that organizations consider whether, in light of the sensitivity of the information and potential risks associated with the transfer of information, they have given enough information to their customers to enable them to meaningfully consent to the transfer and disclosure of information to another organization. They also should assess their outsourcing arrangements to confirm that third parties have adequate controls in place to protect the personal information of the firm’s customers.
The deadline for commenting on the Consultation is June 28.