As we discussed in a recent blog post on this important issue, the Office of the Privacy Commissioner of Canada (“OPC”) last month announced its intention to interpret the “transfer” of personal information as a “disclosure” rather than a “use” under Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). As we explored, this shift in position has the potential to have a tangible impact on the way in which companies must communicate to, and obtain consent from, customers and other aspects of operations as it relates to the processing of personal information, in particular transborder data transfers, including those between affiliated organizations.
Since the release of the initial position paper of April 9, 2019, there has been much debate as to how the OPC’s new position will change the degree of information that an organization must highlight under their openness obligation, how the shift may affect sectors such as e-commerce, and whether a shift in position will run afoul of international trade agreements. Given these and other mounting concerns, on April 29, 2019, the OPC released a Supplemental Discussion Document. This document appears to address concerns born of the initial position paper, and the intention appears to be to clarify the matters on which the OPC would like to receive input as part of the consultation process, which is set to close June 4, 2019.
There are eight main areas outlined in the document,[i] with a number of sub-questions within each of those areas. We feel it is worthwhile to highlight three main feedback themes in particular: (i) the role and nature of “consent” in this context; (ii) the impact on trade agreements; and (iii) the practical impact on organizations subject to these requirements, in particular those who transfer Canadian data internationally. With respect to the last point, the OPC asks:
Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
This is an interesting question to pose in light of the fact that the OPC’s shift in position from a transfer being a “use” to a “disclosure” is generally viewed as constituting a significant development in Canadian privacy law. That being said, perhaps it is still a relevant matter to explore. It is true that under current OPC Guidelines, companies should already be providing notice to customers about where their personal information will be sent, as well as the risks associated with that, where this requirement already exists under the Accountability and Openness Fair Information Principles. Is the underlying assumption then that the change will be of more legal or theoretical import than having an actual operational impact on businesses? One can only speculate, but perhaps the answer lies somewhere in between. That is, the way in which the “consent” requirements will be interpreted may have significant operational impact on some businesses, and minor, more clerical impacts on others.
As noted previously, our privacy and cyber security team will be monitoring these developments closely over the coming months. Businesses are well-advised to consider the potential impact on their operations and documentation. While there is much that remains uncertain, the likelihood that there will be upcoming changes for Canadian organizations in relation to personal data transfers is surely more than remote at this stage.
[i] 1. In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
2. Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
3. What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically: 1.In what circumstances should consent be implicit or explicit? 2.What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information? 3.Should the notice to the affected person name the third parties? 4.Should the notice contain other pieces of information?
4. Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
5. If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
6. What elements should be included in obtaining consent for transfers for processing that are not transborder?
7. Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
8. Any other comments or feedback you think may be helpful.