The Office of the Privacy Commissioner of Canada (‘OPC’) announced, on 9 April 2019, that it had published a consultation paper (‘the Consultation Paper’) outlining its approach to cross-border data transfers under the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 (‘PIPEDA’), with a view to updating its guidance in this area. In particular, the Consultation Paper outlines the OPC’s view that cross-border data transfers require consent. This follows its investigation into the 2017 data breach at US-based Equifax Inc., in which the personal information of Canadians was compromised. The Consultation Paper highlights that for consent to be valid, individuals must be clearly informed about disclosures, including when third parties are located in another country, and the associated risks. Furthermore, it states that organisations must obtain express written consent where individuals would not reasonably expect the transfer.
In relation to its Equifax Inc. investigation, the OPC highlighted that Canadians were affected by the breach since they had obtained products from Equifax Canada, such as credit monitoring and fraud alerts, the transactions for which were processed by Equifax Inc. The OPC concluded that since Canadian customers interacted exclusively with Equifax Canada and were not explicitly advised that their information would be processed in the US, express consent should have been obtained as individuals would not reasonably expect the transfer.
It is important to recall that the OPC does not have the legal authority to interpret PIPEDA and is not vested with adjudicative or order-making powers
Gratton highlighted, “Requiring individuals’ express consent to the disclosure of their personal information to an affiliate located in the US could be considered contrary to some of Canada’s international obligations. For example, the United States-Mexico-Canada Agreement, which was signed on 30 November 2018 to replace the North American Free Trade Agreement, generally prohibits the restricting of cross-border transfer of personal information between the US, Canada and Mexico […] The OPC’s recommendation to obtain express consent [also] seems to amount to imposing data localisation requirements on private sector organisations that are not found in PIPEDA. [Notably,] such data localisation requirements would go beyond what is provided for in the European General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), which is considered by most commentators as being the most stringent piece of privacy legislation in the world.”
In the Consultation Paper, the OPC stated that it has considered the implications of its position in the context of cross-border trade and the importance of information flows for the purpose of facilitating commerce, and that in its view, this position is consistent with Canada’s international trade obligations. It also highlighted the applicability of its recommendations to both cross-border transfers for processing, and other disclosures between organisations that are not in a controller/processor relationship.
Gratton concluded, “It is important to recall that the OPC does not have the legal authority to interpret PIPEDA and is not vested with adjudicative or order-making powers. Its recommendations and interpretations of PIPEDA are therefore non-binding, and when faced with an application under PIPEDA, the Federal Court may or may not necessarily defer to the OPC’s positions or reports of findings. While it is possible that the Federal Court could find the evolution of the OPC’s position on this issue compelling, it should be noted that the Federal Court has historically limited efforts to read additional legal requirements into PIPEDA. I am hoping that the OPC will revisit its position after reviewing the submissions received in response to its consultation, especially given the important operational challenges and the numerous restrictions to outsourcing activities that this position will trigger for a number of stakeholders.”
RUMER RAMSEY Privacy Analyst