On November 24, 2019, the federal Office of the Privacy Commissioner of Canada (OPC) and the Office of the Privacy Commissioner of British Columbia (BC OIPC) released their report of findings (the Report) arising from their joint investigation of Aggregate IQ Data Services Ltd (AIQ). Before the investigation, AIQ processed personal information as a service provider to several organizations involved with political campaigns located in foreign jurisdictions, among them SCL Elections Ltd., the parent company of Cambridge Analytica.
According to the Report, in its capacity as a service provider to organizations located in foreign jurisdictions, AIQ failed to ensure it had meaningful consent from the individuals whose personal information it collected, used, or disclosed, in contravention of Canadian privacy laws. The Report also concluded that AIQ failed to adequately protect personal information it held, and this failure was also a contravention of Canadian privacy laws.1
The reasoning behind the findings raises two questions:
- How do Canadian privacy laws apply to a service provider when it is processing data on behalf of a client in a foreign jurisdiction?
- Must such a service provider police the consent and data collection practices of its client?
We consider each of these questions in turn.
Application of Canadian Privacy Laws
The Report notes that AIQ is responsible for complying with consent requirements for its personal information handling practices in accordance with applicable Canadian or BC privacy laws, even where its clients are located in another jurisdiction.2 On the basis of this premise, the Report concludes that AIQ ought to have ensured that there was adequate consent (as that term is understood in Canadian law) for its collection, use, or disclosure of personal information on behalf of its foreign clients, in the same way as a service provider would need to do with respect to domestic Canadian clients.3
Arriving at that premise, however, requires an interpretation of the law that the statutory language and interpretation by Canadian courts do not clearly support. In some ways, the reasoning of the Report brings to mind the interpretation of “equality” as formal equality rather than substantive equality: the superficial application of rules in a way that fails to achieve balance in effects or outcomes.
Of course, Canadian privacy laws apply to AIQ. It does not follow, however, that service providers servicing clients governed by the laws of another jurisdiction must follow the consent requirements of Canadian law. As the Federal Court of Appeal reminded us in Englander v. Telus,PIPEDA attempts to balance the two competing interests of privacy and organizational needs:4
… even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the Court must strike a balance between two competing interests. Furthermore, because of its non-legal drafting, Schedule 1 does not lend itself to typical rigorous construction. In these circumstances, flexibility, common sense and pragmatism will best guide the Court.5
The context of AIQ’s role as a service provider to foreign organizations seems precisely like the sort of circumstance where one would want to take a flexible, commonsense and pragmatic approach.
As Canada’s privacy law framework is consent-based, organizations must either obtain meaningful consent or rely on one of the statutory exceptions. The privacy law frameworks of other jurisdictions do not have the same conceptual foundation. This is to be expected in any circumstance in which different jurisdictions have sought to regulate similar subject matter. Under the EU’s General Data Protection Regulation (GDPR), for example, consent is just one of several legal bases upon which processing may be legitimately undertaken; others include public interest, compliance with a legal obligation, or legitimate interest. Some of these map neatly onto Canadian consent exceptions, while some do not.
Should we expect service providers to which Canadian privacy laws apply to perform services only for clients located in jurisdictions that fortuitously regulate privacy interests in the same way that Canada does, and refuse to engage in the international economy where the foreign jurisdiction has taken a different approach? This would appear to be the net practical effect of the reasoning expressed in the Report, given that no client is likely to accede to a demand from a service provider that the client adjust its privacy practices to conform to the requirements of Canadian law.
The consequences of the Commissioners’ approach is particularly important when one considers the situation of Canadian service providers whose client organizations are in the EU. The EU is generally recognized as having the most comprehensive and stringent privacy law framework of all jurisdictions worldwide. The notion that a Canadian service provider should avoid entering into an agreement with an EU client because the legal basis upon which personal information was collected by that client doesn’t fit the Canadian framework is counterintuitive at best.
The obvious retort is that while some flexibility may (and our commissioners would likely emphasize the ‘may’) be in order where a service provider is processing personal information on behalf of a foreign client organization that was collected pursuant to a legal basis not clearly reflected in Canadian law, in the case of AIQ, the legal basis of the collection was consent. As such, the argument might go, requiring service providers in AIQ’s circumstances to respect the consent requirements of Canadian law surely falls within the flexible, commonsensical and pragmatic standard set by the Court.
One counterargument is that even within the domain of consent, there can be a mismatch between the foreign and domestic law frameworks. Indeed, in this case, there is such a mismatch. Under the GDPR, the notion of “consent” is more or less equivalent to the Canadian privacy law notion of express consent. The GDPR does not contemplate implied consent, as that concept is operationalized under Canadian privacy law. If the ambiguity covered by that “more or less” equivalence cannot easily be eliminated, the mismatch could be significant and we are faced again with the need to be pragmatic in the face of different legal frameworks.
In any case, in our view, the answer to the first question is clear: fair application of Canadian privacy law demands that the situation of each service provider be considered in context. Where a service provider processes personal information on behalf of a foreign client, it is particularly important to consider the different legal frameworks that might be in play, rather than simply imposing the same obligations that would apply to a service provider processing information for a domestic client.
Policing Consent and Data Collection
A second counterargument to the retort leads us to the second question asked above. Even assuming that an argument can be made that Canadian privacy law consent requirements should apply to a service provider in AIQ’s circumstances, do those requirements oblige such a service provider to police the consent and data collection practices of its client?
On this issue, the OPC has previously found it reasonable for an organization to rely on contractual arrangements between itself and its client under which the client undertakes to comply with applicable laws and, more specifically, to obtain all required consents from the individuals concerned, especially when obtaining direct consent would be unreasonable.6
The Report, however, seems to suggest that organizations should take steps that go well beyond such reliance. The Report uses the language of “reasonable measures,” echoing the language used in earlier findings, but then says “those reasonable measures should include contractual measures, as well as further measures, such as reviewing consent language used by the client, to verify that the third-party consent upon which AIQ is relying would in fact meaningfully explain its intended uses and disclosures.”7
In our view, it is unrealistic to impose this obligation on service providers. Moreover, not only does the Report break with previous findings in adding such reviews to the reasonable measures to be taken, it departs from the general framework of allocating responsibility between service providers and their clients that the OPC articulated in earlier decisions. Under that framework, even where the consent collected by a client organization is defective, the OPC has found that the service provider is not necessarily in breach of Canadian privacy law consent requirements.
For instance, in PIPEDA Case Summary 2003-1888, the OPC found that it is reasonable for a credit agency to obtain the consumer’s consent through its client businesses and not directly, given the large number of information requests it receives daily and the considerable amount of work this type of procedure could involve. In this case, the credit agency had entered into a service agreement with a telecommunications company, which stated that the company must obtain consent from the consumer before any information request is made to the credit agency. This decision confirmed that even in those cases where an individual objects to the transfer (or use by a third party) of its personal information, the service provider will not necessarily be in breach of the consent requirement, provided it is not aware of the individual’s objection and that it relies on an agreement stating that the client must obtain consent from the individuals concerned before any personal information is transferred to the service provider.
To the extent that the OPC and BC OIPC have revised their position on the allocation of responsibilities between service providers and their clients, we make two observations. First, it would be helpful if the Commissioners recognized and articulated this in their findings, or explain at the very least how the facts and circumstances of the new findings are distinguishable from the earlier. Second, consistent with our discussion above concerning taking different legal frameworks into account, the Commissioners might consider whether such a revised allocation of responsibilities should be applied in an unrestricted fashion where service providers are processing on behalf of foreign clients.
We recognize that the many technological advancements affecting individuals and organizations that have occurred since Canadian privacy law statutes were first enacted certainly call for modernization of our legal framework. We also recognize that some of the impetus for the recent findings of the OPC and BC OIPC has been generated by legal developments in other jurisdictions, and that some commissioners aspire to see substantively similar developments brought to the Canadian privacy law landscape.9 While it may be true that one’s reach should exceed one’s grasp, however, we question the wisdom of memorializing such aspirations in official findings.