The Office of the Privacy Commissioner of Canada took the unusual step of reopening a previously suspended, controversial consultation on cross-border transfers under the Personal Information Protection and Electronic Documents Act — signaling it remains determined to move toward a consent-based model for such transfers under current and possibly future PIPEDA rules. The OPC’s proposal to impose consent rules on cross-border transfers runs counter to the growing consensus that obtaining the individual’s consent does little to enhance privacy protections for individuals. It would fundamentally change PIPEDA’s long‑standing accountability-based approach, encourage data localization, and transform Canada’s cross-border approach into one of the strictest in the world.
Surprisingly, the OPC’s consultation on cross-border transfers may produce short-term regulatory fixes that will be at odds with the longer-term regulatory outcomes sought by the Canadian government in its recently announced Digital Charter, a 10-pronged strategy aimed at protecting personal information in a data-driven society. For example, the Digital Charter affirms that current consent-based models with complex and lengthy privacy policies are inadequate and do not help build trust. Moreover, it notes that many Canadian companies are confused by the plethora of existing privacy legislation and calls for the establishment of clear and responsive marketplace frameworks that support interoperability on a global scale through collaboration and alignment with existing frameworks, such as the EU General Data Protection Regulation.
The OPC justifies its position on the basis that it lacks the necessary enforcement authority to ensure proper accountability; however, adding a consent requirement for cross-border transfers is not a substitute for increasing the OPC’s enforcement authority. The OPC’s revised policy will encourage data localization, which does not ensure greater privacy and data security protections — in fact, the privacy and security risks may increase because organizations will have to increase the number of systems in which personal information is stored (and thus spread limited resources across multiple systems). Increased cross-border data restrictions will also have significant and unintended consequences for domestic economic growth and investment and will limit consumer choice as companies may simply decide that they are not interested in providing services in Canada when an individual can at any time elect to require that their information remain in Canada.
An immediate legislative fix for the OPC’s enforcement authority is unlikely, so the real question is whether putting a temporary “consent band-aid” on the problems the OPC identified is worth the risk to Canadian consumers, industry and the Canadian economy.
Companies should consider the impact that the OPC’s new policy is likely to have on their operations and weigh in with any concerns they may have. Comments must be submitted by Aug. 6.
OPC reverses long-standing position on cross-border transfers and initiates consultation
Since 2009, the OPC has held that businesses conducting cross-border transfers for processing purposes are required to provide notice to individuals and ensure through contractual or other means that the data recipient will provide a level of protection comparable to that of the controller. However, concurrent with the April 2019 release of a report summarizing its investigation of Equifax’s 2017 data breach, the OPC suddenly reversed course.
Citing Equifax Canada customers’ surprise that their personal data was transferred to the United States for processing, the OPC concluded that Equifax Canada should have obtained Canadian consumers’ express consent before transferring sensitive credit reporting information to Equifax and informed individuals who did not wish to have their information disclosed in this way of their available options.
The same day that it released the Equifax report, the OPC opened a consultation on its modified position. It later issued a discussion document to clarify the policy reversal and summarized the new position as follows:
- A company that is disclosing personal information across a border, including for processing, must obtain consent. The form of consent required depends on the sensitivity of the information at issue and the individual’s reasonable expectations in the circumstances.
- Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders.
- When disclosing personal information to a third party for processing, a company does not relinquish control of the information. An organization that processes personal information on behalf of another organization may still have obligations under the act in respect of the personal information in its possession or custody.
The OPC’s policy change was immediately criticized both substantively and procedurally, with commentators noting that a move away from the current accountability-based approach would render Canada’s privacy regime incompatible with those of other leading jurisdictions, including the GDPR, impose significant operational and financial burdens on companies, and confuse individuals. Others criticized the consultation itself, calling it a mere formality because the OPC announced its intention to reinterpret PIPEDA’s cross‑border transfer provisions before soliciting stakeholder input.
Canadian government unveils digital strategy and policy proposals for updating PIPEDA
Subsequently, in May 2019, Innovation, Science and Economic Development Canada — the Canadian government department tasked with economic development — released a 10-pronged Digital Charter aimed at protecting personal information in a data-driven society and a related white paper outlining policy options for amending PIPEDA. ISED remarked that any reform of PIPEDA must advance the charter’s principles and address PIPEDA’s greatest shortcomings — namely, that individuals lack meaningful control over their personal information and privacy, that there is confusion about the application of a principles-based approach to new business models and technologies, and that the current enforcement model does not incentivize compliance.
Several of ISED’s policy options are reminiscent of provisions contained in the GDPR and/or the California Consumer Privacy Act, including:
- Requiring organizations to provide individuals with specific, plain-language notice of the intended use of their personal information and the third parties with which it will be shared.
- Requiring organizations to inform individuals about the use of automated decision‑making, including the factors involved in the decision and the logic upon which the decision is based.
- Providing individuals with data portability and deletion rights, including a requirement that organizations communicate corrections or deletions to third parties with which they have shared personal information.
- Extending minors’ deletion and de-identification rights, with limited exceptions.
- Establishing defined retention periods.
- Increasing the range of fines for violations of PIPEDA.
- Extending the regime for fines to apply to additional provisions of PIPEDA.
Notably, several of the options diverge from the OPC’s new position regarding cross-border transfers. For instance, one proposal would seek to improve the current accountability regime by requiring organizations to demonstrate their accountability, including in the context of cross-border data transfers. Another would provide for alternatives or exceptions to consent under certain circumstances, including common uses of personal information for business purposes.
ISED did appear, however, to advocate for the expansion of the OPC’s enforcement powers to incentivize organizations’ compliance with PIPEDA, including by providing the Commissioner with increased discretion to determine whether to investigate a complaint, authority to periodically review or audit an organization’s adherence to the law, and order-making power to halt the collection, use, or disclosure of personal information by non-compliant organizations.
Suspension and subsequent revival of cross-border transfer consultation
In May 2019, Privacy Commissioner Daniel Therrien announced the OPC was suspending the consultation in light of ISED’s release of the digital charter and white paper. While the OPC remarked that an eventual new law would clarify cross-border transfer requirements, critics opined that the OPC was using the digital charter as an opportunity to retreat from an unpopular position.
The suspension was brief, however, as the OPC reframed and reopened the consultation less than a month later, and in so doing, asked stakeholders to address new questions regarding the drafting of a future law, in addition to answering the questions it initially posed regarding the proper interpretation of PIPEDA’s cross-border transfer provisions.
The OPC acknowledged that any forthcoming guidance may be short-lived if PIPEDA is overhauled or replaced, but pointed to the lengthy legislative process (indeed, no significant legislation is expected to be introduced prior to Canada’s October 2019 federal elections) to explain the need for a short-term solution.
In updating its position, the OPC also advocated for the amendment of PIPEDA to require organizations’ demonstrable accountability, including by granting the OPC authority to proactively inspect their practices. It also expressed that while the adoption of an adequacy regime for cross-border transfers might be “too fundamental a change to consider,” a standard contractual clauses regime should be seriously considered because it would provide an additional level of regulatory review. In situations when neither contractual clauses nor other means are effective, however, consent may be required.
The complete list of questions that the OPC would like stakeholders to answer is included in a reframed discussion document. Interested stakeholders must submit their comments on the OPC’s updated position via email by Aug. 6.
If you want to comment on this post, you need to login.