TO REQUIRE CONSENT OR TO NOT REQUIRE CONSENT? THAT WAS (AND COULD STILL BE) THE QUESTION

On September 23, 2019 the Office of the Privacy Commissioner of Canada (“OPC”) concluded their consultation on transfers of personal information for processing purposes.[1]  The consultation sought stakeholder feedback on the matter by posing 11 specific questions related to the current and future law of data transfers, but at the heart of the consultation was whether consent should be required when transferring personal information to a third party for processing in a different jurisdiction.[2]  The OPC received 87 submissions during the consultation, some of which were on behalf of more than 90 stakeholders.[3] The majority of the submissions rejected the proposition that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) required organizations to seek consent for transfers to third parties for processing, prompting the OPC to ultimately restore their initial interpretation of PIPEDA to that effect.[4] It was the OPC’s recent deviation from this interpretation in their April 2019 Report of Findings in the Investigation of Equifax Inc. and Equifax Canada[5] (the “Equifax Decision”) that received widespread attention[6] and sparked the consultation in the first place.

In April 2019 the OPC released the Equifax Decision, the OPC’s conclusion following an investigation into Equifax Canada’s transfer of consumer financial information to Equifax Inc. (an entity in the United States) for processing.[7] In their report, the OPC found that Equifax Canada should have sought express consent from customers when transferring personal information to a third party in a foreign jurisdiction for processing, as this constituted a “disclosure” within the meaning of Principle 4.1.3 of PIPEDA. This finding directly contradicted the OPC’s 2009 Guidelines for Processing Personal Data Across Border (the “Guidelines”), which distinguished a “transfer” or “use” from a “disclosure” and only required appropriate notice to consumers informing them that their personal information was being processed in a foreign jurisdiction (provided that the transferring organization took reasonable steps to provide a comparable level of data protection while in the hands of foreign entities through contractual terms and the transfer was for the purpose for which the information was initially collected).[8] Given the departure from the OPC’s previous findings on similar matters and its commitment in writing to such an interpretation in their Guidelines, the OPC launched a consultation soliciting stakeholder feedback on the change in their position.

Based on the responses received in the course of the consultation, the OPC concluded that their Guidelines and interpretation of Principle 4.1.3 will remain unchanged under PIPEDA as it currently stands. In coming to their conclusion, the OPC recognized the business challenges that a consent requirement would impose and conceded that they would “maintain status quo until the law is changed”.[9] In their conclusion, the OPC also recognized the reality that implementation of their new position likely would not be applied in practice for many years, at which point amended legislation on the matter may already be in place.

Throughout the consultation process, the OPC made many references to the impending statutory reform of PIPEDA,[10] which serves as a reminder that OPC decisions and interpretive guidelines are, in fact, not binding at law.[11] While businesses, the legal community and industry groups may have been pleased with the OPC’s immediate conclusion following the consultation, the relief could be short lived depending on what statutory amendments will be made to PIPEDA in the coming years.  Innovation, Science and Economic Development Canada’s recently published discussion paper, Strengthening Privacy in the Digital Age, which outlines four areas of reform and includes enhancing individuals’ control, making specific reference to accountability as it relates to trans-border data flows for processing.[12] Thus, the real value of the OPC’s consultation may be realized in how they will use the information and insight obtained to advise Parliament on how legislative amendments to PIPEDA should deal with the issue of data transfers for processing purposes. The OPC stated it will now focus its efforts on “how a reformed law can best protect Canadians’ privacy rights when their information is transferred between organizations”.[13] The OPC’s mandate is to act as a public advocate for our privacy rights;[14] it remains to be seen whether the OPC will take into consideration the business and practical implications raised by stakeholders throughout the consultation process when determining what constitutes “best” protection for Canadians and making recommendations to Parliament. To require consent or to not require consent? That is still the question, but now it’s Parliament’s turn to answer.

Written by Madison Black, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

 

[1] Office of the Privacy Commissioner of Canada, Announcement, “Commissioner Concludes Consultation on Transfers for Processing” (23 September 2019), online: <https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/an_190923/>.

[2] Canada, Office of the Privacy Commissioner of Canada, “Consultation on Transfers for Processing – Reframed Discussion Document”, Consultation (Ottawa: Office of the Privacy Commissioner of Canada, 2019), online: <https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-transfers-for-processing/>

[3] Osler, Hoskin & Harcourt LLP, “OPC Consultations on Transborder Dataflows”, Submission to the OPC, (6 August 2019), online: < https://www.accessprivacy.com/AccessPrivacy/media/AccessPrivacy/Content/news/AccessPrivacy-Submission-to-OPC-re-Transfers-for-Processing.pdf>.

[4] Canada, Office of the Privacy Commissioner of Canada, “Processing Personal Data Across Borders Guidelines” (Ottawa: Office of the Privacy Commissioner of Canada, January 2019) online: < https://www.priv.gc.ca/en/privacy-topics/airports-and-borders/gl_dab_090127/>.

[5] Canada, Office of the Privacy Commissioner of Canada, Investigation into Equifax Inc. and Equifax Canada Co.’s Compliance with PIPEDA in Light of the 2019 Breach of Personal Information (9 April 2019), PIPEDA Report of Findings #2019-001, online: <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-001/>.

[6] Molly Reynolds and Shalom Cumbo-Steinmetsz, “What the OPC’s Decision in Equifax Means for Cross-border Data Transfers and Outsourcing” (11 April 2019), Torys LLP, online <https://www.torys.com/insights/publications/2019/04/what-the-opcs-decision-in-equifax-means-for-cross-border-data-transfers-and-outsourcing>; Lisa R. Lifshits, “The Many Lessons of the Equifax Data Breach” (15 April 2019), Torkin Manes, online: <https://www.torkinmanes.com/our-resources/publications-presentations/publication/the-many-lessons-of-the-equifax-data-breach>; Bernice Karm, “Privacy Commissioner Reverses Course – Consent Required for Personal Information Processing” (16 April 2019), Bassels Brock and Blackwell LLP, online: <https://mobile.casselsbrock.com/Issue/Privacy_Commissioner_Reverses_Course___Consent_Required_for_Personal_Information_Processing>; Monique McAlister, Peter Rudy and Niki Kermani, “Privacy Commissioner Reverses Its Position on Cross-Border Transfers of Personal Information” (15 April 2019), Goodmans LLP Update, online: < http://www.goodmans.ca/files/file/docs/04.15.2019%20-%20Privacy%20and%20Litigation%20Update.pdf>; Barry Sookman, “OPC Consultation on Trans-border Data Flows: My Submission to the Consultation” (6 August 2019), Barry Sookman, online: <https://www.barrysookman.com/2019/08/06/opc-consultation-on-trans-border-data-flows-my-submission/>.

[7] Supra note 5.  

[8] Supra note 4.

[9] Supra note 1.

[10] Canada, Innovation Science and Economic Development Canada, Strengthening Privacy for the Digital Age (May 2019), online: <https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html>.

[11] Canada, Office of the Privacy Commissioner of Canada, PIPEDA Interpretation Bulletins (30 January 2017), online: <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/>.

[12] Supra note 10.  

[13] Supra note 1.

[14] Canada, Office of the Privacy Commissioner of Canada, How the OPC Protects and Promotes Privacy (10 November 2016), online: <https://www.priv.gc.ca/en/about-the-opc/what-we-do/mm/>.