This week, the Office of the Privacy Commissioner released the long-awaited report on the Equifax data breach. We summarize the story below. A number of issues arose in the course of the investigation, and the net result is a pretty scathing account that requires Equifax to prove, over the course of the next six years, that they are doing privacy better.
The OPC is taking the opportunity to also revisit its position on trans-border data flows. So, at the same time as the report on the Equifax breach, the OPC released a preliminary position as part of a consultation on the issue of the transfer of personal information to third parties for processing — especially when those third parties are situated outside of Canada.
The preliminary position being taken by the OPC is a marked departure from previous decisions and guidance. Privacy Commissioner Daniel Therrien is now calling a transfer to third parties for processing a disclosure (as opposed to a use). And, he is taking the position that this disclosure will require a clear form of consent.
Marty Abrams, from the Information Accountability Foundation, said this to me: “Kris, Canada was known internationally as the country that had the most rational approach to the natural flow of data between controllers and processors, and additional controllers. Exporters needed contracts and conduct due diligence to assure data was processed in lines with the context of the relationship between a company that uses data and the individuals to whom it pertains. Controllers were required to maintain an accountability chain. There was no difference between a transfer in Canada and one with trading partners. This [new OPC] direction fundamentally changes that equation.”
As I mentioned, the OPC’s new emphasis on consent as opposed to accountability is different, and I’m not entirely sure how it will play out in practice. Are we now going to have to click “I agree” to myriad new pop-up notices every time we interact with an organization that transfers personal information for processing purposes. I don’t know about you, but I feel like we are already faced with too many hollow consent grabs by organizations making us agree to things every time we try to interact with them. To be clear, my position is that these forms of consent do not always result in meaningful consent at all. In fact, it has been proven over and over again that these notices are not well understood by the majority of people.
The rest of the world is adopting data protection regimes that emphasize accountability. While consent remains an important aspect, it is being recognized that there are better and more practical ways to protect individual privacy.
Will you take the time to let the OPC know what you think about their change in position? Do you agree with me that it is an issue that is worth further debate? Would love to hear your thoughts on this.