In April of this year, as discussed in our previous blog posts, the Office of the Privacy Commissioner of Canada (“OPC”) called for changes to the way Canadian privacy law treats transborder personal data transfers, and commenced a consultation process.
This process was first supplemented (in a supplemental document released April 23, 2019), then suspended (as announced by Commissioner Therrien during the 2019 Canadian Privacy Symposium on May 23, 2019), and now reframed (on June 11, 2019, the OPC released a document entitled “Consultation on transfers for processing – Reframed discussion document”). This document builds on the previous position statement from April 9, 2019 and the supplemental document released shortly thereafter, to restate its position on the current law as well as potential amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and request for public feedback. This was necessary after the federal government announced its intention to overhaul PIPEDA in the “Digital Charter” document that was published on May 21, 2019.
Canada’s Digital Charter and Potential Overhaul of PIPEDA
The Digital Charter sets out a number of areas relating to PIPEDA that could be subject to reform in a section focussed on privacy and digital rights. The main areas of potential reform referenced in this section are “Enhancing Enforcement and Oversight,” “Enabling Responsible Innovation,” and “Enhancing Individuals’ Control.” Possible ways to address the latter include enhancing consent, providing for data mobility, and data access and deletion rights.
The Digital Charter acknowledges that there is a lack of tangible consequences for egregious violations of Canadian privacy law, something Commissioner Daniel Therrien pointed out with great conviction before the Standing Committee on Access to Information, Privacy and Ethics on the findings of the investigation into Facebook[i] earlier in the year. Ensuring Canadian law remains “compatible” with the European General Data Protection Regulation (“GDPR”) was also noted as a driver, among others, behind the likely reforms to the law.
Regarding transborder transfers, Minister Bains notes that this issue is complex:
“Unlocking the potential of data will help support the growth of Canadian firms, particularly in AI where Canada has a competitive advantage. However, given its ubiquitous nature, its ability to traverse international borders with ease, and the sensitivities around trust and privacy, it is a complex issue. Canada continues to support bilateral and multilateral commitments relating to the cross-border transfer of information, as well as commitments, which seek to prevent data localization requirements.”
In response, the June 11 Discussion Document sets out the OPC’s views on long-term amendments to PIPEDA regarding cross-border transfers stating that, primarily, it is of the view that standard contractual clauses or other potential means should be considered in the first instance. Consent should be failsafe in case no other mechanisms can effectively protect Canadian data.
Interestingly, the adoption of an adequacy regime, as exists in the EU, for example, was described as being potentially too “fundamental” of a change as well as not being effective in all cases. The GDPR concept of relying on “legitimate interests” of the organization in processing data, rather than on consent, is also missing from the discussion.
The statement that this issue is complex is certainly not unreasonable given the OPC’s stated position, the desire for Canada to remain an “adequate” country for receipt of European personal data under GDPR, and industry’s concerns with overly cumbersome restrictions or requirements for such data transfers.
Revised Consultation Process on Crossborder Transfers
With its restated position and reframed consultation process, the OPC has amended and clarified the current ask regarding the public consultation on transborder transfers, stating that:
“The change in position [referring to the interpretation of a transfer as a “disclosure” rather than a “use”] by the OPC would require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers. We are open to views on how (implied or express consent, content of the information upon which consent would be sought) this might be achieved.”
The OPC is seeking stakeholder input in two main categories, one being with respect to a future law and the other with respect to the present law and how it should be interpreted. The deadline for submissions is August 6, 2019 and OPC is asking for input on a number of different themes, the main ones being:
- Additional enforcement powers: For instance, should a future law require “demonstrable accountability” and give the OPC the ability to “approve standard contractual clauses before they are implemented and, once they are adopted, proactively review their implementation to ensure a comparable level of protection?”
- Scope of consent: Questions include whether consent should be implicit or explicit, what level of detail should be required, whether this should include naming third parties, and whether any other information would need to be included.
- International trade agreements: Feedback as to whether any of these potential changes would run contrary to Canada’s obligations under these agreements.
The outcome of this consultation and related discussions should not be underestimated and we will be keeping a very close eye on any developments in this space. If you have any questions on the potential current or future impact on your organization, please reach out to our privacy and cyber security team.
[i] The investigations into Facebook began in 2009, when the OPC warned Facebook that the company’s terms and conditions were too vague to allow for meaningful consent to be given and that the organization’s safeguards were inadequate to protect the personal information of individual users. Through the recent investigation, there was evidence that Facebook had failed to improve on the issues addressed in the 2009 investigation. By not addressing these issues, Canadians using Facebook had and still have a high risk that their personal information will be used in ways they may not be aware of, for purposes they did not agree to, and for purposes which may be contrary to their interests and expectations.
The current investigation showcased that Facebook violated PIPEDA by:
- Failing to obtain meaningful consent of users to disclose their personal information to third party applications;
- Disclosing the personal information of friends of users who installed applications without their knowledge or meaningful consent;
- Failing to maintain adequate safeguards to protect against the unauthorized access, use or disclosure of personal information; and
- Failing to be accountable for the personal information in its control as the company had tried to shift its privacy responsibilities onto the applications on its platform and onto users themselves (this violated the accountability principle).
As the current PIPEDA law stands, the next step for the OPC will be to apply to the Federal Court to seek a binding order requiring Facebook to take action to correct its practices. It will most likely be another year until this case is heard by a court.