[31920]
August 26, 2019 TO: ICI MembersInvestment Company Directors
ICI Global Members
ICI Global Atlantic Chapter
ICI Global Regulated Funds Committee
Privacy Issues Working Group
SEC Rules Committee SUBJECTS: Compliance
Disclosure
International/Global
Investment Advisers
Operations
Privacy RE: Canadian Government Considering Overhaul of Data Privacy Legislation
The Canadian government is considering sweeping updates to its privacy and data protection laws, including amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Separately, the Office of the Privacy Commissioner (OPC), which oversees PIPEDA, has recently weighed in on the need for express consent for third party data processing. These developments may change existing requirements that apply to asset managers—for example, around the transfer of personal information for third party data processing.
Canadian Federal Government Proposes Amendments to Modernize Existing Data Privacy Legislation
The Canadian federal government published its Digital Charter initiative in May in which it suggests that it will address transborder dataflows in upcoming amendments to its existing federal data privacy legislation.[1] At a high level, the Digital Charter outlines ten principles to guide the government’s approach to digital and data transformation in Canada. These principles focus on preparing for the workplace of the future, unleashing innovation, and protecting data privacy interests and promoting trust.
As part of these efforts, the government intends to modernize and streamline the existing data privacy legislation (PIPEDA). The government released a discussion paper accompanying the Charter, which outlines potential approaches to PIPEDA reform.[2] The government intends these amendments to better align Canadian privacy legislation with international privacy law frameworks (including those in the European Union) in order to achieve an integrated digital economy both domestically and abroad.
PIPEDA is a principles-based, technology-neutral law that applies to a wide range of commercial activity, and is overseen by an Agent of Parliament, the OPC.[3] PIPEDA's requirement for knowledge and consent requires organizations to inform individuals of the purpose of the collection, use, or disclosure of their personal information, and to obtain their consent. The OPC’s 2009 guidelines clarify, however, that a transfer of data for processing is deemed to be a “use” of information rather than a “disclosure” and does not require specific consent.[4] PIPEDA does not distinguish between domestic and international transfers of data.
The government’s discussion paper proposes various amendments to PIPEDA, including modernizing its consent and transparency requirements.[5] For example, it proposes requiring organizations to provide individuals with specific, standardized, plain-language information on the intended use of the information as well as on the third parties with which information will be shared. It also proposes prohibiting the bundling of consent into a contract.
Similar to the 2009 OPC guidelines, the discussion paper recognizes that there should be certain alternatives or exceptions to consent for common uses of personal information for standard business activities. The term “standard business practices” could capture purposes such as fulfilling a service; using information for authentication purposes; sharing information with third-party processors; risk management; or meeting regulatory requirements.
The paper also asks the following questions about a “standard business practices” exception to consent:
- What are the benefits or risks of removing the requirement to obtain consent to process personal information for purposes that are considered to be standard business practices?
- What activities should be captured by such a provision?
- What must be outside the scope of such a provision?
The government’s discussion paper welcomes written submissions as well as official meeting requests and notes that discussions that result from this paper will inform the development of options for legislative reform. We understand that the government will be accepting written submissions through this fall. We do not expect further significant government activity on PIPEDA reform until after the Canadian federal election takes place in late October.
OPC Releases Consultations on Need for Express Consent for Third Party Data Processing
While the government considers its path forward on PIPEDA reform, the OPC separately has released two consultations on revising its 2009 policy position on transborder dataflows under PIPEDA. This revised position appears to be inconsistent with the direction of the federal government’s proposed amendments to PIPEDA.
In the first consultation, published earlier this year, the OPC solicited input on revising its 2009 position to require express consent for third party data processing in and outside of Canada: “A company that is disclosing personal information across a border, including for processing, must obtain consent.”[6] The OPC revised this position based on its Equifax investigation finding that, under current law, consent was required for the transfer of personal information from Equifax Canada for processing by its US affiliate, Equifax Inc. According to the OPC, “[d]uring the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a ‘disclosure’ is debatable and likely not correct as a matter of law.”[7]
The OPC withdrew this consultation after the government published the Digital Charter, but then released a second, reframed consultation document in June.[8] The reframed consultation reiterates the OPC’s revised position on requiring consent for transborder data processing, but clarifies that it is consulting with all stakeholders before deciding whether to extend this interpretation to all organizations. The OPC notes its change in position “would require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.”[9]
The reframed consultation also invites stakeholder views on how future PIPEDA amendments should provide effective privacy protection in the context of transfers for processing. The OPC intends to recommend to the federal government how to amend PIPEDA to effectively protect privacy in the context of transfers for processing. The reframed consultation clarified that the OPC “would not recommend that consent be required in the longer term in the context of data transfers for processing, if other effective means are found to protect the privacy rights of individuals.”[10] However, it takes the position that consent may be required in situations where contractual clauses or other means are not found to be effective protection. The OPC also recommends updating PIPEDA’s complaints based model, instead providing the OPC with authority to proactively inspect organizations’ practices.
The OPC’s reframed consultation closed in early August. We understand that the OPC has received numerous comments expressing serious concern about the substance and process of its revised positioning, particularly in light of the federal government’s upcoming work on PIPEDA reform.
Next Steps
ICI is looking closely at the Canadian government’s discussion paper on PIPEDA amendments. If you have concerns or will be affected by these reforms, please reach out to Linda French (linda.french@ici.org) or Shannon Salinas (shannon.salinas@ici.org).
Linda M. French
Assistant Chief Counsel, ICI Global
Shannon Salinas
Assistant General Counsel - Retirement Policy
endnotes
[1] Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians, Innovation, Science and Economic Development (ISED) Canada (May 21, 2019), available at https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00109.html.
[2] Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information Protection and Electronic Documents Act, Innovation, Science and Economic Development (ISED) Canada, available at https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html.
[3] PIPEDA came into force in 2000.
[4] Guidelines for processing personal data across borders, Office of the Privacy Commissioner (January 2009), available at https://www.priv.gc.ca/en/privacy-topics/airports-and-borders/gl_dab_090127/. “‘Transfer’ is a use by the organization. It is not to be confused with a disclosure.” Furthermore, “[a]ssuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”
[5] The discussion paper also proposes amendments related to data mobility, online reputation management, enabling data trusts for enhanced data sharing, and enhancing the OPC’s enforcement and oversight powers.
[6] Consultation on transborder dataflows, Office of the Privacy Commissioner, available at https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-transborder-dataflows/.
[7] Consultation on transfers for processing – Reframed discussion document, Office of the Privacy Commissioner (June 11, 2019), available at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/an_190611/.
[8] Id.
[9] Id.
[10] Id.