David Krebs and Luanne Schlosser are quoted in The Hill Times article, “Privacy watchdog proposing rule change that could see firms revise data-use policies”

May 23, 2019 | David Krebs, Luanne Schlosser

The Hill Times, "Privacy watchdog proposing rule change that could see firms revise data-use policies"

Companies could soon be rewriting their privacy policies to fit a change the privacy commissioner is contemplating that could mean getting a person’s explicit okay in all cases when their data is to be transferred across the border. Though the proposed change isn’t final, it has some interested people and groups saying that they’re now left with more questions than answers.

Ever since the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force in three stages between 2001 and 2004, interpreters have had dificulty understanding exactly what the legislation says.

Teresa Scassa, the Canada Research Chair in Information Law and Policy at the University of Ottawa, said PIPEDA is like a “dog’s breakfast” that needs to be read with sticky notes close at hand to keep track of the many subclauses and confusing definitions. Federal Court Justice Yvan Roy called the law “peculiar” and “not easily accessible.” Experts have criticized the law further saying it is no longer fit for purpose, as it was drafted before the age of smartphones, social media, concerns over how vast amounts of personal data are used by  multinational companies, and other digital-age challenges.

To remedy some of the confusion about how data collected in Canada can be sent across borders, in 2009 the Office of the Privacy Commissioner (OPC) issued a guidance statement on cross-border transfers that said if “the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.” A decade later, the office of federal privacy commissioner Daniel Therrien again released guidance last month on how data is supposed to be sent across borders.

The shift would require Canadian companies to acquire consent before disclosing personal information across the border, regardless of if it is being used for the same purpose for which it was originally collected.

The new position was outlined on April 9 and was followed by a supplementary discussion document on April 23. Though the position is a preliminary one— consultations were launched and will continue until June 28—the OPC’s reinterpretation of privacy laws has the potential to dramatically change the ways personal data is treated in Canada.

In 2009, the OPC stated that so long as the personal data was “used for the purpose it was originally collected, additional consent for the transfer is not required.” Processing data for a certain purpose may prove more costly and difficult than simply collecting it. In that case, companies would normally outsource data processing to third parties in other jurisdictions. If the initial company used certain contractual provisions to ensure the data would be used for the same purpose in Canada and other jurisdictions, the company was not required to ask the individual for additional consent.

Both domestic and international concerns motivated this shift, according to Prof. Scassa, a senior fellow with the Centre for International Governance Innovation’s International Law Research Program. Domestic pressures include several high-profile privacy scandals, such as the Equifax data breach that affected nearly 20,000 Canadians. In addition to Canadians’ concerns over individual privacy, the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018, is providing some external pressure for PIPEDA reinterpretation. The GDPR essentially mandates data on EU citizens processed in other jurisdictions meet EU standards, meaning data from non-compliant countries would be unable to flow across EU borders. In December 2018, the House Committee on Access to Information, Privacy, and Ethics (ETHI) recommended the government “immediately begin implementing measures in order to ensure that data protections similar to the General Data Protection Regulation are put in place for Canadians.”

Canadian privacy law operates according to three concepts; use, disclosure, and collection, said David Krebs, a privacy lawyer at Miller Thomson in Saskatoon. Previously, PIPEDA had classified such data transfers as a “use” as opposed to a “disclosure.” The new position from the privacy commissioner’s office reverses this long-standing interpretation, instead seeking to treat the transfers as a disclosure.

“Disclosure arguably has a higher threshold and a higher level of knowledge and consent required,” said Luanne Schlosser, a privacy lawyer also with Miller Thomson.

Under the previous interpretation it was sufficient for an organization to have a section in their privacy policy stating that the data could be stored in a different jurisdiction, meaning it would be subject to that jurisdiction’s privacy laws. Under the new disclosure criteria, such an approach may no longer be enough.

Like the initial interpretation, the new OPC position is causing confusion among affected companies and privacy lawyers. The supplementary discussion document, issued on April 23, was intended to provide more detail as to why the OPC has taken a new position.

Mr. Krebs and Ms. Schlosser said there is still a big unknown regarding the consent principle. Under what circumstances consent must be explicit or implicit is one of the questions posed to stakeholders by the supplementary document. Until the consultation period is finished, nothing can be said with certainty. The supplementary discussion document, however, stated that the new position would require organizations to get explicit consent if the information being transferred is sensitive, or if the individual would reasonably expect such information not be disclosed to a third party.

Further questions revolve around what would happen if an individual refuses to have their information transferred. According to Mr. Krebs and Ms. Schlosser, a second option would have to be made available to that person. They warn that this could be logistically onerous on certain organizations.

The privacy commissioner’s office stated: “individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localization), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”

For organizations involved in data collection, processing, and transferring, the privacy commissioner’s new position has the potential to alter how they interact with individuals over privacy matters. Existing privacy policies may not be in line with the new position, and may have to be altered. Additionally, an organization may have to create a new procedure that solicits consent from an individual when their data is to be transferred across a border.

As data is becoming an increasingly valuable aspect of the modern economy, international trade deals have sections dealing entirely with data transfers. Like with other goods and services, these trade deals seek to reduce barriers and make trade cheaper and easier. Policies like the GDPR, however, clearly seek to restrict how data flows across borders. If Canada were to adopt an approach similar to the EU’s GDPR, it could be at odds with its obligations under trade deals such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the United States-Mexico-Canada Agreement (USMCA, also known as CUSMA or the new NAFTA), say some analysts. The consent requirements could potentially be viewed as a non-tariff barrier to trade, though the OPC had said it believes its position is consistent with Canada’s international trade obligations. In order to be viewed as a non-tariff barrier, the consent provision would have to impose restrictions greater than those required to protect an individual’s privacy.

Organizations involved in data transfers will likely be left asking questions until the consultation period concludes on June 28. In a May 14 email statement to The Hill Times, the OPC said “we will use the information gathered during the consultation to update our guidance for businesses on cross-border transfers of personal information. We will clarify the rules so that organizations understand their obligations around obtaining valid consent and remain accountable for protecting the information in their control.”

According to Prof. Scassa, one of the larger questions looming over the entire debate is whether a change such as this merits a simple OPC reinterpretation or if new legislation is needed. Prof. Scassa said making a substantial change to privacy law through reinterpretation runs the risk of appearing to be far outside established practices, and could undermine what she views as a legitimate policy goal going forward.

Innovation Minister Navdeep Bains (Mississauga-Malton, Ont.) in February said the Liberal government “agrees that legislative changes to Canada’s privacy regime are needed ,” when asked about Mr. Therrien’s comments that he’s growing increasingly concerned that Canada’s privacy rules are outdated and Canadians’ privacy rights aren’t being given enough importance in the new digital landscape focused on leveraging data for all sorts of uses.

In a May 15 email statement to The Hill Times, Mr. Bains’ press secretary Danielle Keenan reiterated the need for legislative changes to Canada’s privacy regime and he “looks forward to announcing the next steps on a principles-based approach to data in the coming weeks.”

The government said last month, in response to an ETHI committee report, it is “examining all options to ensure that PIPEDA maintains its intended balance between the individual right to privacy and businesses’ legitimate needs to collect, use, and disclose information. Any legislative changes will ensure that the Act continues to provide meaningful protections for privacy, while also supporting innovation, growth, and the free flow of data in international trade and commerce. PIPEDA updates must also recognize emerging privacy norms, particularly internationally, and work coherently with other marketplace frameworks, such as competition law.”

 

This article was reprinted with permission from The Hill Times. View the article at its source.