In 2009 — yes, that is 10 years ago — the Office of the Privacy Commissioner of Canada released its guidance on transborder data flows. It spoke about the need to be accountable when transferring information for processing purposes by using contractual means. It recognized that data was fluid and flowed from jurisdiction to jurisdiction.
Earlier this week, the OPC announced those guidelines are still valid. It came on the heels of a consultation that took place over the summer that began with a proposed different approach to TBDF and the transfer of personal information. The consultation garnered a lot of organizations to provide submissions, and many of those were made public on LinkedIn. If you spent any time reading the submissions, you’d easily see why the OPC made the announcement it did this week. They were overwhelmingly in favor of the status quo, and the OPC listened. “Good result,” is what I posted on social media.
The OPC’s announcement also talked about focusing efforts on the potential of a new law. They recognize that international movement of data can be a good thing, but at the same time raises privacy issues that, in the commissioner’s opinion, are not adequately dealt with in the Personal Information Protection and Electronic Documents Act. Unfortunately, they don’t hint as to where PIPEDA is failing in this regard and only say, “In our view, existing privacy protections are clearly insufficient and we will be making recommendations to strengthen the protections in a future law.”
I don’t think they need to wait. They could, as I have said before, provide even more guidance to supplement their 2009 piece with clear examples of what contractual means are expected when you transfer for processing. As it is, I often borrow from what European DPAs have provided, but it would be nice to get a take from a Canadian regulator. No need to wait for a new law … just tell us what the expectations are with this one. Maybe then we won’t feel like PIPEDA is failing quite so much in this regard.