Privacy Commissioner Withdraws Transborder Consultation, Suggests Proactive Audits

Print Friendly, PDF & Email

On May 22, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) held its annual forum in Toronto, Ontario. Federal Commissioner Daniel Therrien headed the annual forum along with his provincial counterparts Jill Clayton, the Information and Privacy Commissioner of Alberta, and Michael McEvoy, the Information and Privacy Commissioner of British Columbia.

The forum provides the OPC with an opportunity to update practitioners and stakeholders on current and upcoming privacy matters as well provides an opportunity to discuss and share perspectives. Not surprisingly, the topic of transborder data flows dominated the discussion. Here are three key takeaways from the forum.

Expect a new transborder data flow consultation process

As discussed in our blog post here, the OPC announced on April 9, 2019 that it would be holding a stakeholder consultation on transborder data flows. The OPC’s consultation paper proposed a reversal of its two-decades old existing policy on requirements for consent with respect to transfers for processing. The OPC proposed to reinterpret the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) such that transfers, traditionally considered a “use” of the personal information (and which therefore do not require additional consent) now be considered a disclosure (which would require additional consent),

However, on May 21, 2019, the federal Government of Canada announced a new “digital charter” setting out principles for which all government policy and legislation will be measured against (as further discussed in our blog post here). The digital charter includes a background paper recommending significant reform to PIPEDA, including with respect to transborder data flows. In light of the government’s background paper, the OPC announced it is suspending the current consultation process. The OPC indicated it will then announce a new consultation process on transborder data flows that will contemplate both:

  • the current, short term climate of how transborder data flows will be interpreted under the current law, and
  • the long term climate and how the issue should be interpreted under the updated federal law, with consideration of the government’s background paper.

Commissioner Therrien noted that the new consultation process will primarily focus on the long term interpretation under the new, updated federal law.

Stakeholders can expect the OPC to launch the new consultation process, including an updated consultation paper in the coming days.

How to approach transborder data flows in the meantime

Commissioner Therrien advised organizations that as the consultation process moves forward, the OPC does not expect organizations to change their practices with respect to transborder data flows; however, he cautioned that if his office were to receive complaints, it will investigate that organization’s practices with the consultation process in mind, and interpret the law according to the OPC’s most recent views.

While organizations are not expected to change their current practices, they should take steps to assess their exposure of complaints on this issue, including reviewing their privacy statements for clear, easy to read language disclosing that information may be transferred to third parties.

Commissioner proposes proactive audits of data processing agreements

A discussion around Principle 1 – accountability – under PIPEDA and its application to transborder data flows alerted several at the forum. Section 4.1.3 of PIPEDA states that an organization is responsible “for the personal information its in possession or custody, including that which has been transferred to a third party for processing”, and that organizations must use contractual (or other means) to provide a comparable level of protection by that third party.

The Government of Canada’s background paper emphasizes that while an organization may outsource various services to third parties, accountability for that personal information remains with the transferring organization. Commissioner Therrien commented that while accountability is a measure of safeguarding personal information that is transferred to another party, it may not be sufficient, and other means under PIPEDA may be necessary.

The Commissioner noted that his Office is concerned with what it regards as its current inability to proactively enforce the accountability principle. To the surprise of many at the forum, he added that his Office wants powers be able to proactively audit business’ data processing agreements with their third party service providers. In other words, the OPC feels it must be able to proactively look under the hood to ensure organizations are meeting their accountability obligations. Organizations intending to submit a response to the consultation process may wish to consider these comments by the Commissioner.

__

For more information about Denton’s data expertise and how we can help, please see our unique Dentons Data suite of data solutions for every business, including data mapping, contractual review, and consent benchmarking. Our Transformative Technologies and Data Strategy page has more information about our sophisticated tech practice, which focuses on data-driven technologies such as artificial intelligence, data analytics, and digital identity.