As we discussed in a recent blog post on this important issue, the Office of the Privacy Commissioner of Canada (“OPC”) last month announced its intention to interpret the “transfer” of personal information as a “disclosure” rather than a “use” under Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). As we explored, this shift in position has the potential to have a tangible impact on the way in which companies must communicate to, and obtain consent from, customers and other aspects of operations as it relates to the processing of personal information, in particular transborder data transfers, including those between affiliated organizations.
Since the release of the initial position paper of April 9, 2019, there has been much debate as to how the OPC’s new position will change the degree of information that an organization must highlight under their openness obligation, how the shift may affect sectors such as e-commerce, and whether a shift in position will run afoul of international trade agreements. Given these and other mounting concerns, on April 29, 2019, the OPC released a Supplemental Discussion Document. This document appears to address concerns born of the initial position paper, and the intention appears to be to clarify the matters on which the OPC would like to receive input as part of the consultation process, which is set to close June 4, 2019.
There are eight main areas outlined in the document,[i] with a number of sub-questions within each of those areas. We feel it is worthwhile to highlight three main feedback themes in particular: (i) the role and nature of “consent” in this context; (ii) the impact on trade agreements; and (iii) the practical impact on organizations subject to these requirements, in particular those who transfer Canadian data internationally. With respect to the last point, the OPC asks:
Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
This is an interesting question to pose in light of the fact that the OPC’s shift in position from a transfer being a “use” to a “disclosure” is generally viewed as constituting a significant development in Canadian privacy law. That being said, perhaps it is still a relevant matter to explore. It is true that under current OPC Guidelines, companies should already be providing notice to customers about where their personal information will be sent, as well as the risks associated with that, where this requirement already exists under the Accountability and Openness Fair Information Principles. Is the underlying assumption then that the change will be of more legal or theoretical import than having an actual operational impact on businesses? One can only speculate, but perhaps the answer lies somewhere in between. That is, the way in which the “consent” requirements will be interpreted may have significant operational impact on some businesses, and minor, more clerical impacts on others.
As noted previously, our privacy and cyber security team will be monitoring these developments closely over the coming months. Businesses are well-advised to consider the potential impact on their operations and documentation. While there is much that remains uncertain, the likelihood that there will be upcoming changes for Canadian organizations in relation to personal data transfers is surely more than remote at this stage.