On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent in such cases. See our previous post here.
However, the Consultation Paper simply stated the OPC’s position and invited the public’s views, with no indication of why the OPC thought the change was necessary or what the key issues were. Shortly thereafter, the OPC then issued supplemental consultation paper (“Supplemental Consultation Paper”), in which the OPC provided its rationale for its about-face, and posed specific questions for stakeholders to consider.
Insofar as rationale is concerned, the OPC stated that during the Equifax investigation it became apparent that “that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a “disclosure” is debatable and likely not correct as a matter of law.” The OPC also relied on the meaning of “disclosure” as set out in the dictionary, as well as how it is defined in the public sector privacy law, the Privacy Act.
Issues for Stakeholder Consideration
The OPC also took the opportunity to pose specific questions for stakeholders to consider:
- In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
- Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
- What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
- In what circumstances should consent be implicit or explicit?
- What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
- Should the notice to the affected person name the third parties?
- Should the notice contain other pieces of information?
- Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
- If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
- What elements should be included in obtaining consent for transfers for processing that are not transborder?
- Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
Takeaways for Business and Deadline for Submission
The consultation period remains open until June 4, 2019. Once it is complete, the OPC will likely publish updated guidance (including updating the Meaning Consent Guidelines). No time frame has been given for this. Organizations that deal with foreign (or domestic) data processors may wish to consider submitting comments for the OPC’s consideration, and in any event would do well to keep close eye on the consultation process and subsequent developments in this regard.
In anticipation of likely change, organizations should be taking steps to assess their exposure on this issue, and begin mapping their data flows, as well as reviewing their consent language and processes. Organizations transferring personal information to affiliates should review if they have intercompany agreements in place or other infrastructure that supports a defensible transfer.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including data mapping, contractual review, and consent benchmarking.