In a further development in the on again/off again transborder data flows consultation, the Office of the Privacy Commissioner of Canada (“OPC”) has announced it is on again.
The OPC made the announcement on June 11, 2019 and characterized this new consultation as a “re-framing” of the prior, withdrawn one. Our commentary on the on again/off again process can be found here, here and here.
The OPC said it had decided to change its approach to consultation in light of the publication by the federal government of its Digital Charter on May 21, 2019 which suggested to the OPC that “transborder data flows may be dealt with in an eventual new federal privacy law.”
The OPC is inviting stakeholder views both on how the current law should be interpreted and applied in these contexts, and on how a future law should provide effective privacy protection in the context of transfers for processing.
Content of Re-Framed Consultation
There is little difference between the content of the documents that were the topic of the prior suspended consultation and this re-framed document.
The OPC has largely consolidated its original consultation documents and questions into this new, re-framed discussion document. The questions previously posed with respect to the current law remain the same, and the OPC has added additional questions related to how a future law could address transborder data flows to effectively protect privacy.
The new questions with respect to any future law are:
- How should a future law effectively protect privacy in the context of transborder data flows and transfers for processing?
- Is it sufficient to rely on contractual or other means, developed by organizations and reviewed only upon complaint to the OPC, to provide a comparable level of protection? Or should a future law require demonstrable accountability and give a public authority, such as the OPC, additional powers to approve standard contractual clauses before they are implemented and, once they are adopted, proactively review their implementation to ensure a comparable level of protection?
- How should a future law effectively protect privacy where contractual measures are unable to provide that protection?
At the annual privacy commissioner forum on May 22, 2019, Commissioner Therrien had advised organizations that the OPC was withdrawing the prior discussion paper and consultation, and stated that as the consultation process moves forward, the OPC did not expect organizations to change their practices with respect to transborder data flows; however, he cautioned that if his Office were to receive complaints, it would investigate that organization’s practices with the consultation process in mind, and interpret the law according to the OPC’s most recent views.
This proposed approach caused some concern at the annual forum, and the position was criticized by some as having no basis in law and creating an uncertain business environment. The re-framed discussion paper appears to respond to this, at least in part, but only offers this cryptic statement (footnotes omitted):
However, the interpretation of the existing federal legal regime must of course be based on the text adopted by Parliament, read in its entire context and in its grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament. In Equifax, the OPC applied a different interpretation to that which had been previously given, at the end of what is by law a confidential process involving complainants and the respondent organization. We did not reach that result lightly, but ultimately concluded that the new interpretation was more consistent with the text of PIPEDA. Before deciding whether to maintain that interpretation to all organizations, we now want to hear from all stakeholders.
Deadline for Submission
The deadline for submissions is August 6, 2019.
For more information about Denton’s data expertise and how we can help, please see our unique Dentons Data suite of data solutions for every business, including data mapping, contractual review, and consent benchmarking. Our Transformative Technologies and Data Strategy page has more information about our sophisticated tech practice, which focuses on data-driven technologies such as artificial intelligence, data analytics, and digital identity.