Six months after it started, the consultation process on the proper treatment of transborder personal data transfers has now closed. On September 23, 2019, the Federal Privacy Commissioner (“OPC”) confirmed that transborder transfers of personal data will remain a “use” of personal information under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and will not be treated as a “disclosure,” which means that the 2009 Guidelines for processing personal data across borders (“2009 Guidance”) will remain the governing guidance document in this area.
As we reported in three previous articles on this topic, the consultation process was started to seek feedback from stakeholders on the impact of the Commissioner’s intention to view a transfer as a “disclosure ” rather than a “use” of personal information. The OPC made this announcement on April 9, 2019, with one of the main drivers being the findings in the Equifax decision. One central implication of this change would have been to essentially require fresh and specific consent for transborder transfers of personal information (rather than relying on notice-based and general statements about crossborder data flows, which is the status quo).
In making its decision, the Commissioner cited pragmatism and the overwhelmingly critical submissions it received from stakeholders on the topic. The announcement further noted as a reason for this conclusion that PIPEDA will likely be reformed and any changes arising out of this current consultation would likely not be implemented until after such new legislation is in force.
While one can view this as backtracking in the face of a significant headwind, it was clear that the Commissioner was put into an all but impossible position after the Canadian government announced changes to its digital strategy, including PIPEDA reform, only weeks after the OPC’s initial statement that it intends to change its position on transborder personal data transfers.
The OPC also reinforced their general view that Canadian privacy law is currently inadequate to manage the modern realities of how personal information is collected, used, and transacted in the global economy:
“In our view, existing privacy protections are clearly insufficient and we will be making recommendations to strengthen the protections in a future law.”
- to be transparent about personal information handling practices;
- advising customers their personal information may be sent to another jurisdiction and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities;
- clarifying the type of personal information being collected;
- identifying the parties with whom personal information is being shared;
- naming the purposes underlying all personal information processing; and
- stating any residual meaningful risk of harm or other consequences.
The central and all-important first takeaway is that organizations will not need to take any immediate and drastic steps to make changes to existing policies, procedures or contracts.
The second key takeaway is that this by no means signals that the OPC is of the view that any of its previous findings about the inadequacy of the current law, or the threat to data when it crosses borders, are diminished.
Lastly, the OPC has clearly and succinctly confirmed expectations when it comes to drafting appropriate language describing transborder data transfers. This should provide additional comfort to organizations when contemplating new, or revisions to existing, privacy policies or data protection procedures.