On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.
This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June 2019 announcement of a proposed shift in policy to treat transfers for processing as “disclosures” rather than “uses” of personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).
What’s old is new again
In January 2009, the OPC issued Guidelines for processing personal data across borders setting out its interpretation that a “transfer” of personal information by an organization for processing is a “use” and not a “disclosure” of that personal information. The limit on the transfer was that the personal information could only be used for the purposes for which the information was originally collected. Therefore, when an organization transferred personal information to a third party for processing, additional consent for the transfer itself was not required. Processing was broadly interpreted to include any use of the information by the third party for a purpose for which the transferring organization can use it.
The OPC did expressly state in its guidelines that organizations would need to make it plain to individuals, ideally at the time of collection, that their information may be processed in a foreign country and may be accessible to law enforcement and national security authorities of that jurisdiction. Notably, the guidelines stated that once informed individuals have chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred for processing purposes.
Organizations duly structured their consent practices and procedures to account for this interpretation of PIPEDA. As a result, the vast majority of organizations have not been obtaining separate consent to transfers for processing.
However, in April 2019, the OPC announced it was revisiting this position. Specifically, the OPC announced its view that transfers of personal information for processing, including cross-border transfers, are disclosures that require separate consent. This change in position followed the OPC’s April 2019 investigation findings on Equifax Inc. and Equifax Canada’s Co.’s compliance with PIPEDA in light of the 2017 breach of personal information. The OPC based its findings on the principle that individuals would expect to know whether and where their personal information may be transferred or disclosed to an organization outside of Canada.
Under the OPC’s revised interpretation, organizations would be required to inform individuals of any options available to them if they did not wish to have their personal information disclosed across borders. This would allow individuals to make an informed decision about whether to consent to the disclosure and therefore do business with the organization.
The OPC initially set out to consult with stakeholders on this revised position, but then took a step back in May 2019 when the Department of Innovation, Science and Economic Development (ISED) published its Digital Charter, which contemplates the amendment of PIPEDA. That step back was short-lived, however, as the OPC reissued its request for consultation in June.
Following receipt and consideration of submissions from 87 stakeholders, most of which were critical of the proposed shift, the OPC has now reverted to its original position ‒ a “transfer” of personal information by an organization for processing was again a “use” and not a “disclosure” of that personal information. The OPC, recognizing that more than one interpretation of the requirement for consent was possible, determined it was pragmatic to maintain its previous position until PIPEDA itself is amended.
The OPC will now focus instead on its submissions to ISED for modernizing PIPEDA, including on how to most effectively protect individuals’ privacy rights in the context of transfers for processing. This suggests that while the debate is not over, its eventual resolution will be determined by Parliament.
Challenges associated with the OPC’s changes of position
The OPC’s guidelines, while important and useful tools to interpret PIPEDA, are not legal precedent and therefore may be more freely subject to change.
At the same time, organizations do establish their organizational processes based on the guidelines issued by the OPC, which allows organizations and consumers to have confidence that their processes are compliant with privacy law obligations. PIPEDA is, after all, intended to "support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances."
Therefore, by maintaining the status quo in an effort to keep organizational confidence in their own processes while at the same time making it clear it is the OPC’s view that these processes are deficient, the OPC has in effect created temporary clarity that is tempered by a persistent sense of uncertainty surrounding its de facto expectations and future intentions regarding transfers of personal information for processing.
What is clear from the OPC’s most recent announcement is that organizations should at the very least be transparent with individuals that their information may be processed in a foreign country and may be accessible to law enforcement and national security authorities of that jurisdiction. Best practices would be to advise individuals of details of the transfer at the time of getting consent.
Finally, with the loss or misuse of personal information by organizations being highlighted in news cycles, consumers are more aware of the handling of their personal information. Where consumers do not believe organizations met their expectations for transparency or security of their information, this could lead to reputational and legal risk to an organization. Organizations should be cognizant of their consumers’ expectations and the risks associated with the transfer of their personal information to other jurisdictions when designing consent and transfer processes. This is particularly so where significant privacy risks arise from the transfer of personal information across borders, such as the transfer of information of the exercise of legal activities by Canadian individuals where such activities are not legal in the other jurisdictions (cannabis use, for instance).