Q&A on the transfers of personal information
Where are we now under PIPEDA?
The CBA’s Privacy and Access Law Section recently commented on consultations by the Office of the Privacy Commissioner regarding transfers of personal information. Following the consultation process, the OPC decided not to proceed with planned changes. Timothy Banks, Vice-Chair of the Section, discusses the impact of that decision.
Briefly, what was the issue?
The Office of the Privacy Commissioner of Canada announced in April that it was revising how it approaches transfer for processing and transfers across borders. The established guidance was that transfers for processing did not involve a disclosure as long as the recipient data processor only used the personal information for the purposes for which the individual originally provided consent. The fact that the data went across borders did not change the analysis, provided that the party outsourcing the processing ensured that there was a comparable level of protection by using contractual or other means.
However, in April, the OPC released its PIPEDA Report of Findings #2019-001 in which it concluded that its previous policy position might be legally incorrect. The OPC concluded that the transfers between Equifax Canada and its U.S. affiliates were, in fact, a disclosure. Because the Personal Information Protection and Electronic Documents Act is a consent-based model of personal information protection legislation, this raised the possibility that organizations using outsourcing and transferring data across borders might need to get consent. In the Equifax case, the OPC required separate express consent.
What did the CBA ask for?
The Privacy and Access Section drew on its extensive history of analyzing PIPEDA and making recommendation on PIPEDA reform. The CBA argued that the original interpretation of PIPEDA was correct: there is a categorical difference between a disclosure between organizations solely for processing, where the outsourcing entity retains control over the personal information, and a disclosure where the disclosing organization does not retain any control over the personal information.
Further, the CBA questioned whether a consent-based regime really added value for individuals in a globalized economy in which cross-border transfer of data for processing is well-entrenched. Instead, the CBA argued that the principles of transparency and accountability were more important in protecting individuals. The principle of accountability requires that organizations take meaningful steps to ensure that the personal information is protected, which may include contractual commitments and other means such as auditing.
What did the OPC decide?
Ultimately, the OPC agreed that it would not revise its approach to outsourcing and cross-border transfers. Commissioner Therrien does not necessarily accept the prevailing view, however, he took a pragmatic approach after hearing from the CBA and other stakeholders. While the Commissioner believes that there are inherent risks in outsourcing and cross-border data flows, he was convinced not to amend the guidance at this time.
What are the implications of that decision?
Organizations should not assume that it is clear sailing. PIPEDA still requires meaningful consent for the collection and user of personal information. The OPC clearly thinks that there are inherent risks in outsourcing and transborder transfers of personal information. Therefore, this is an issue that must be brought to the attention of the individual even if separate consent is not required.
Very recently, the OPC applied this approach in PIPEDA Report of Findings #2019-003 in an investigation into Loblaw’s gift card program. One of the complaints was that Loblaw engaged a third-party administrator in the United States to manage the gift card program. The OPC found in favour of Loblaw. Loblaw had very specific and clear information in its privacy notice disclosing the fact that it was using service providers, including the identity of those service providers, and the fact that they were located in other jurisdictions and that the personal information would, therefore, be subject to the laws of those other jurisdictions. The amount of detail that Loblaw provided goes beyond what many organizations provide.
What if the OPC decides to pursue the same changes through legislation?
It is clear that the Commissioner remains concerned. Industry Science and Economic Development has put forward proposals for potential areas that PIPEDA might be amended. It is very likely that the OPC will want to see the issue of transfers addressed in some way. However, this doesn’t necessarily mean that the OPC would want legislative amendments to make it clear that these transfers are disclosures and require consent. The OPC’s larger concern is the protection of individuals. If this could be achieved through other means, such as model contracts with auditing or inspections of organizations for demonstrable accountability and transparency, this might be acceptable to the OPC. The issue is paused and not completely over.