Canada's Office of the Privacy Commissioner Reverses Position on Information Transfers for Data Processing
[31985]
September 30, 2019 TO: ICI MembersInvestment Company Directors
ICI Global Members
ICI Global Atlantic Chapter
ICI Global Regulated Funds Committee
Privacy Issues Working Group
SEC Rules Committee SUBJECTS: Compliance
Disclosure
International/Global
Investment Advisers
Operations
Privacy RE: Canada's Office of the Privacy Commissioner Reverses Position on Information Transfers for Data Processing
On September 23, 2019, Canada’s Office of the Privacy Commissioner (OPC) announced[1] that it will not change its 2009 policy position on transborder data flows, which provides that a transfer of data for processing does not require a customer’s specific consent.[2] The OPC received significant industry pushback in response to its June 2019 consultation on changing its 2009 policy position to require express customer consent for transfer of data for third party processing in and outside of Canada. The OPC will now focus its efforts on developing recommendations for modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s existing data privacy legislation which OPC oversees.[3] The announcement is welcome news, since many had expressed serious concern about the substance and process of OPC’s revised positioning.
Background on OPC Consultations on Need for Express Consent for Third Party Data Processing
Earlier this year, the OPC released two consultations on revising its 2009 policy position on transborder data flows under PIPEDA.
In the first consultation, the OPC solicited input on revising its 2009 position to require express consent for third party data processing in and outside of Canada: “A company that is disclosing personal information across a border, including for processing, must obtain consent.”[4] The OPC revised this position based on its Equifax investigation finding that, under current law, consent was required for the transfer of personal information from Equifax Canada for processing by its US affiliate, Equifax Inc. According to the OPC, “[d]uring the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a ‘disclosure’ is debatable and likely not correct as a matter of law.”[5]
The OPC withdrew this consultation after the government published its recent Digital Charter,[6] but then released a second, reframed consultation document in June.[7] The reframed consultation reiterates the OPC’s revised position on requiring consent for transborder data processing, but clarifies that it was consulting with all stakeholders before deciding whether to extend this interpretation to all organizations. The OPC noted its change in position “would require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.”[8]
OPC Announcement Leaving 2009 Policy Position Unchanged
The OPC’s reframed consultation, which closed in early August, received 87 submissions, the vast majority of which took the view that ”there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.”[9] After considering these submissions, the OPC decided it would maintain the status quo, leaving in place its 2009 guidelines, until PIPEDA is changed.
The OPC also announced that it would now focus its efforts on PIPEDA reform. It describes its longer-term goal “to ensure effective privacy protection in the context of transfers for processing, accepting that transborder data flows are the subject of international trade agreements and that both domestic and international transfers bring significant benefits to individuals and organizations.” The OPC notes its belief that existing privacy protections for consumers are “clearly insufficient” and that it will be making recommendations to strengthen those protections. As OPC develops recommendations regarding changes to PIPEDA, it will consider the submissions it received that addressed legislative reform.[10]
Linda M. French
Assistant Chief Counsel, ICI Global
Shannon Salinas
Assistant General Counsel - Retirement Policy
endnotes
[1] OPC’s announcement is available at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/an_190923/.
[2] Guidelines for processing personal data across borders, Office of the Privacy Commissioner (January 2009), available at https://www.priv.gc.ca/en/privacy-topics/airports-and-borders/gl_dab_090127/. “‘Transfer’ is a use by the organization. It is not to be confused with a disclosure.” Furthermore, “[a]ssuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”
[3] As we recently explained, the Canadian government is considering sweeping updates to its privacy and data protection laws, including amendments to PIPEDA. See ICI Memorandum No. 31920, dated August 26, 2019, available at https://www.iciglobal.org/iciglobal/pubs/memos/memo31920.
[4] Consultation on transborder dataflows, Office of the Privacy Commissioner, available at https://www.priv.gc.ca/en/about-the-opc/what-we-do/consultations/consultation-on-transborder-dataflows/.
[5] Consultation on transfers for processing – Reframed discussion document, Office of the Privacy Commissioner (June 11, 2019), available at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/an_190611/.
[6] The Canadian federal government published its Digital Charter initiative in May in which it suggests that it will address transborder dataflows in upcoming amendments to its existing federal data privacy legislation. Canada’s Digital Charter in Action: A Plan by Canadians, for Canadians, Innovation, Science and Economic Development (ISED) Canada (May 21, 2019), available at https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00109.html.
[7] See footnote 4, supra.
[8] Id.
[9] See OPC announcement, footnote 1, supra.
[10] The OPC’s reframed consultation invited stakeholder views on how future PIPEDA amendments should provide effective privacy protection in the context of transfers for processing. See footnote 4, supra.