Seeking input from interested third parties, the Office of the Privacy Commissioner of Canada (OPC) announced a revision to its policy position on transborder data flow under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) through the recent release of a consultation document (the “Consultation Document”) and a supplementary discussion document.
The key points from the Consultation Document include the following:
The Consultation Document represents a shift in approach from that set out in the OPC’s 2009 Guidelines for Processing Personal Data Across Borders, which provided, among other things, that "a transfer for processing is a "use" of the information; not a disclosure." The change under which cross-border data transfers will be considered a "disclosure" and not a "use" of personal information would help position Canada's privacy rights closer to the European General Data Protection Regulation (GDPR).
In the supplementary discussion document, the OPC set out that the change in its position is based in part on findings from its investigation into Equifax's 2017 data breach. The OPC concluded that "a transfer of personal information between one organization and another clearly fits within the generally accepted definition of 'disclosure'." The supplementary discussion document also states that along with consent, the principles of accountability and openness under PIPEDA apply.
This proposed policy position from OPC has implications with respect to the consent required to transfer an individual’s personal information across a border. Under this new policy direction, further disclosure and express consent may be required to the extent that personal information is being disclosed to a third party in a different jurisdiction. As stated in the supplementary discussion document, the OPC's change in position will "require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers."
To ensure compliance under PIPEDA, organizations should: (i) identify and map how personal information is collected, used/processed, stored, transferred and disclosed, and (ii) assess whether adequate consent has been obtained. This is particularly so given the policy position stated in the Consultation Document.
At this stage, organizations are encouraged to provide comments to the OPC with respect to the Consultation Document by June 4, 2019. The Cybersecurity and Data Privacy team at Bennett Jones is available to assist your organizations to do so, and answer any questions you might have about your organization’s privacy obligations.