• Skip to primary navigation
  • Skip to content
  • Skip to footer
nNovation LLP

nNovation LLP

Small Canadian regulatory law firm with a big presence

  • Home
  • About Us
  • Our Team
    • Kim D.G. Alexander-Cook
    • Timothy M. Banks
    • Shaun Brown
    • Anne-Marie Hayden
    • Constantine Karbaliotis
    • Kris Klein
    • Dustin Moores
    • Florence So
  • Blog

Shaun Brown

The problem with de-identification in the Consumer Privacy Protection Act

December 15, 2020 by Shaun Brown 1 Comment

The recently tabled Consumer Privacy Protection Act (CPPA) would allow organizations to use and disclose de-identified information for certain purposes without consent. This makes sense, but there is a flaw: information that is de-identified according to the law is not even personal information. So privacy legislation shouldn’t apply. Yet, according to the proposed CPPA, de-identified information is personal information, excluded from only some of the CPPA’s requirements. This seems to defeat the purpose of referencing de-identification in the first place, while potentially redefining the concept of personal information.

What is de-identification?

To de-identify personal information in the CPPA means the following:

to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.

De-identified information appears to be a new category of personal information that would remain within the scope the CPPA, although certain uses and disclosures can be made without consent. De-identified information can be used by an organization internally for research and development purposes. It can be disclosed to government institutions, health care institutions, post-secondary institutions, or other entities prescribed in regulation, for “socially beneficial purposes”.1

The CPPA does not explicitly state that de-identified information is personal information. However, this is implied, as the CPPA applies only to activities involving personal information according to the sections of the law describing its purpose and application.2 There is nothing to suggest that the law is intended to apply to de-identified information in addition to personal information.

What is personal information?

To understand the problem, it’s necessary to consider the meaning of “personal information”, defined as “information about an identifiable individual”. There are two related and overlapping lines of inquiry under this definition. The first is whether the information is “about” an individual (as opposed to, for example, an object). The second is whether an individual is “identifiable”.

In the absence of statutory guidance, courts have used different language to interpret this definition. In 2007, the Federal Court of Appeal stated that an individual is identifiable if it is “reasonable to expect” that an individual could be identified from the information alone or combined with “sources otherwise available”.3 A year later the Federal Court of Canada adopted the standard put forward by the Privacy Commissioner of Canada: there must be a “serious possibility” of identifying an individual through the information alone or combined with “other available information”. 4

More recently, the Federal Court found that “serious possibility” and “reasonable to expect” are effectively the same thing: more than mere speculation or possibility, but not probable on a balance of probabilities.5

The need for a different threshold

De-identification in the CPPA uses effectively the same threshold as personal information, but in reverse. We’ll call this the “serious possibility/reasonably foreseeable” threshold. The courts have said that information is personal if there is a serious possibility that an individual could be identified, which is equivalent to “reasonable to expect.” Under the CPPA, personal information becomes de-identified if there are no “reasonably foreseeable circumstances” in which an individual could be identified. So personal information that is de-identified under the CPPA should not be personal information according to our current understanding of personal information as interpreted by the courts. Except, in the CPPA, it is.

Here’s another way of looking at it. In our current world, information becomes personal when it rises above the threshold of serious possibility/reasonably foreseeable, as seen in figure 1 below. Yet, under the CPPA, information that is personal information becomes de-identified personal information when it crosses below the threshold of serious possibility/reasonably foreseeable, as seen in figure 2.


An obvious question is when, if ever, does personal information become non-personal? In other words, once information becomes personal and within the scope of the CPPA, is it possible to transform it so that it is outside the scope of the CPPA? Currently, information that is sufficiently de-identified to no longer qualify as personal information is not regulated under PIPEDA (even if it is not truly anonymized). The effect of the CPPA seems arbitrary. If the information had been collected in a manner that never met the threshold for what constitutes personal information, it would never be subject to the law. However, because the information was, at some point, within the scope of the law, it is permanently trapped.

Even more confusing, does this alter the definition of personal information? If so, where is the new threshold? It seems that this would have to be lower under the CPPA than it already is.

It might be argued that there is a meaningful difference between “serious possibility/reasonable to expect” and “reasonably foreseeable circumstances”. But this isn’t tenable. When comparing “serious possibility” with “reasonable to expect”, the Federal Court said that it may be “impossible” to discern a meaningful difference. There’s no way the rest of us could be expected to differentiate between “reasonable to expect” and “reasonably foreseeable”.

Even less probable is an intentional effort to expand the definition of personal information, and in turn, the scope of the law. The government would have to be more explicit about such a significant change.

Most likely, this is just a well-intentioned idea with flawed execution, which would make the law too confusing.

One potential solution is to modify the definition of “de-identify” by removing the reference to reasonably foreseeable circumstances, as follows:

de-identify means to modify personal information — or
create information from personal information — by using
technical processes to ensure that the information does
not identify an individual. or could not be used in reasonably
foreseeable circumstances, alone or in combination
with other information, to identify an individual

This would create a threshold for de-identified information that is clearly distinct from the definition of personal information, which would seem to accomplish the objective of including de-identified information in the CPPA.

Another option is to just remove all references to de-identification from the law. Though maybe not ideal, if the threshold for de-identification is not modified to differentiate it from the definition of personal information, then the law would be better without it.

Filed Under: Legislation, PIPEDA, Privacy Reform Tagged With:

The Digital Charter Implementation Act: A Clear Plan for Change

November 19, 2020 by Shaun Brown Leave a Comment

The Canadian government tabled draft legislation on November 17 that would make significant changes to the federal private sector privacy landscape. Bill C-11, the Digital Charter Implementation Act (DCIA), would replace Part 1 of the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act (CPPA), create the Personal Information and Data Protection Tribunal Act (PIDPTA), and make minor amendments to several other laws.

The CPPA encapsulates the most fundamental aspects of Part 1 of PIPEDA, as it remains focused on providing individuals with control over how their personal information is collected, used and disclosed by organizations in the course of commercial activity. However, there are several important changes in both form and substance.

First, federal privacy law would exist in a standalone act, no longer bound to other, unrelated parts dealing with electronic documents. And, although the CPPA remains rooted in the ten privacy principles, unlike PIPEDA, it does not incorporate wholesale and build on the Canadian Standards Association Model Code for the Protection of Personal Information (which was an unusual way to draft a law).

In terms of substance, here are some of the most important changes:

  • Privacy management program. Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect personal information, deal with privacy complaints, train personnel, and develop materials to explain an organization’s policies, practices and procedures. The Office of the Privacy Commissioner (OPC) would be authorized to demand access to these policies at any time.
  • Appropriateness. The CPPA incorporates and builds on the “reasonable purposes” clause of PIPEDA with a more comprehensive standard for when it is appropriate to process personal information.
  • Exceptions for business activities. The CPPA defines a list of “business activities” for which an organization can process personal information without consent.
  • Transfers to service providers. The CPPA would firmly establish that knowledge and consent are not required to transfer personal information to a service provider. It also helpfully clarifies when an organization is considered to have control over personal information.
  • De-identified information. The CPPA defines circumstances in which de-identified information can be processed.
  • Automated decision-making. If an organization uses an “automated decision system” to make a prediction, recommendation or decision about a person, the organization would be required to, on request, explain the prediction, recommendation or decision, and how the personal information used to make the prediction, recommendation or decision was obtained.
  • Data mobility. Individuals would have the right to transfer their data between organizations if those organizations are subject to a “data mobility framework” defined in regulation.
  • Disposal of data: The CPPA would provide individuals with an explicit right to request the deletion of their personal information.
  • Revised OPC powers. The OPC would have the authority to make orders requiring compliance with the Act and to recommend penalties.
  • Tribunal. The new Personal Information and Data Protection Tribunal would hear appeals from OPC orders. It would also have the ability to impose penalties, if recommended by the OPC.
  • Penalties. The CPPA provides  for maximum penalties of up to 3% of global revenue or C$10 million for most contraventions, and up to 5% of global revenue or C$25 million for certain offences.
  • Codes of practice and certification. The CPPA would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.
  • Private right of action. Individuals affected by contraventions of the law would have a right to sue for actual damages suffered. This right would only be available following an OPC finding that a contravention had occurred, which is not successfully appealed to the tribunal.

The DCIA would create the most significant change in Canadian privacy legislation in 20 years, aligning federal private sector privacy law – which applies throughout the country except in Alberta, British Columbia and Quebec – more closely with the EU General Data Protection Regulation. However, Bill C-11 still has a long road to travel before it becomes law, which is far from certain. The federal legislative process tends to move very slowly, and with a minority government in power, a vote of non-confidence in Parliament could trigger the election of a new government, which may prefer a different route.

Filed Under: Legislation, PIPEDA, Privacy, Privacy Commissioner of Canada Tagged With:

Federal Court of Appeal declares Canada’s Anti-spam Legislation constitutionally valid

June 9, 2020 by Shaun Brown Leave a Comment

On Friday the Federal Court of Appeal (FCA) published a long-awaited decision in 3510395 Canada Inc. v. Canada. 3510395 Canada Inc. is “CompuFinder”, the Quebec-based company that earned the first administrative monetary penalty under CASL when it was penalized by CRTC staff for $1.1 million in March 2015. The company made representations to the Commission on the substance of the violations, as well as arguing that CASL is unconstitutional. On the substance, the Commission found that CompuFinder did commit most of the violations alleged, while reducing the penalty from $1.1 million to $200,000. The CRTC issued a separate decision finding that CASL is constitutional. CompuFinder appealed both decisions to the FCA.

The Court addressed both appeals in a single, 112 page decision. CompuFinder lost on every claim, with all three justices in agreement. The following summarises the issues addressed by the Court.

Constitutional issues

  1. Jurisdiction: The Court found that CASL is within the federal government’s constitutional authority under the general branch of the trade and commerce power.
  2. Freedom of expression: Although CASL infringes on freedom of expression protected under section 2(b) of the Charter of Rights and Freedoms (Charter), it is saved by section 1, which states that Charter rights and freedoms are subject to reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.
  3. Section 11 of the Charter: CASL does not violate section 11 of the Charter, which guarantees certain the protections to any person charged with an offence. Contrary to the claims CompuFinder, CASL does not allow for the imposition of “true penal consequences”.
  4. Section 7 of the Charter: CompuFinder attempted to argue that CASL violates a person’s right against self-incrimination under 7. The Court quickly dismissed this claim as section 7 can only be used by a corporation to challenge a law if there are “penal consequences” (and the Court found that there are none).
  5. Section 8 of the Charter: The Court found that the investigatory powers exercised by the CRTC were well within the limits of section 8, which protects against unreasonable search or seizure.

Substantive Issues

  1. Business-to-business exemption: None of the commercial electronic messages (“CEMs”) sent by CompuFinder qualify for the exemption for messages sent between businesses with a “relationship” in para. 3(a)(ii) of the Electronic Commerce Protection Regulations.
  2. Implied consent: CompuFinder did not have implied consent to send CEMs based on the conspicuous publication of email addresses, pursuant to para. 10(9)(b) of CASL.
  3. Non-compliant unsubscribe mechanism: CompuFinder violated CASL by sending CEMs that contained non-functioning unsubscribe mechanisms.

The overall outcome is not surprising, and it’s hard not to wonder why CompuFinder decided to throw so many different claims into the appeal instead of focussing on those that might stand the greatest likelihood of success. On the substance of the violations, CompuFinder’s actions were hard to defend. The facts in this case, combined with what was revealed through the detailed report of findings from the Office of the Privacy Commissioner (OPC) in 2016, suggest that CompuFinder engaged in very “aggressive” marketing practices that resulted in a lot of unwanted email (i.e., the type of thing that CASL was intended to prevent).

Outside of section 2(b), the Charter claims were also a long shot.

However, it was not clear or obvious whether the Court would determine that the federal government has the constitutional authority to implement CASL. There is still not a lot of case law applying the general branch of the trade and commerce power, and the limited cases from the Supreme Court have set a fairly high bar for its use. The Court’s analysis on this issue is probably the most important (if unsatisfying) aspect of this case.

The bottom line is that while there are many problems with CASL, it is, according to the FCA, constitutionally valid legislation, so unless CompuFinder is willing and able to appeal to the Supreme Court (the Supreme Court would have to agree to even hear an appeal), CASL is not going anywhere.

This post only considers the jurisdictional claims. Another post by Dustin Moores provides an analysis of the substantive claims, while a subsequent post will consider the section 2(b) freedom of expression claims.

The general trade and commerce power

Sections 91 and 92 of The Constitution Act, 1867 allocate responsibility to legislate on various matters between the federal and provincial governments. The federal government has jurisdiction over things like criminal law, banking, railways, patents, and the military. The provincial governments have authority over the delivery of health care, schools, property and civil rights, among other areas of a more local nature.

Being written so long ago, the Constitution doesn’t make reference to matters like “spam”, “email”, or “internet”. In fact, the Constitution doesn’t refer specifically to many of the things that governments do, meaning that it’s often unclear exactly where jurisdiction lies for a given matter.

The federal government relies on subsection 91(2) of the Constitution as the basis for CASL, which provides the federal government with authority over the general regulation of trade affecting Canada as a whole. This is why CASL applies only to activities, like sending commercial electronic messages (CEMs) and installing computer programs, that occur “in the course of commercial activity”; any purported application to non-commercial activity would fall outside the trade and commerce power.

Given the breadth of its wording, the general branch of the trade and commerce power has been carefully construed by the courts over the years to prevent its application from effectively “eviscerating” all provincial powers. The Supreme Court set a high bar for its application in General Motors of Canada Ltd. v. City National Leasing, 1989 CanLII 133 (SCC), that was arguably pushed even higher in Reference re Securities Act, 2011 SCC 66 (CanLII), in which that court rejected the federal government’s plan for a national securities regulator (a more narrow approach was approved by the Supreme Court in 2018).

The purposes and effects of CASL are not overbroad

The first step in assessing the constitutionality of a law is to determine its true purpose. The Court was only concerned with the legislative “regime” established by section 6 (the CEM requirements), and not the regimes established under sections 7 (alteration of transmission data) or 8 (installation of computer programs).

CompuFinder argued that section 6 goes beyond trade and commerce, capturing “all messages that might have a minor commercial purpose, regulate purely local messaging and interfere with contractual terms”, meaning that the true purpose of CASL is to “regulate unsolicited messages generally” (para. 52). In other words, CASL goes beyond merely regulating “commercial” electronic messaging, delving into purposes that would fall under provincial jurisdiction over municipalities, local matters and property and civil rights, rendering the general trade and commerce power inapplicable.

The Court rejected this characterization, accepting the purposes for CASL as stated in the legislation itself and by the government during the creation of the law. The Court observed that

Section 3 thus reveals that Parliament’s intention in legislating the impugned provisions was to create a scheme regulating the sending of CEMs in order to prevent impairment of the e-economy and costs to businesses and consumers, as well as to protect confidential information and Canadians’ confidence in e-commerce

…..

Parliamentary debates consistently support the conclusion that the purpose of CASL’s CEM scheme is to regulate unsolicited CEMs in order to combat spam and associated online threats in the interests of privacy and security in order to promote a healthy e-economy.

paras. 94 – 95

The Court also found that the direct and follow-through effects of CASL “do not appear to diverge substantially from its stated aim” (para. 99), regulating “only a narrow aspect” of commercial electronic messaging (para. 100). The Court considered the following factors in coming to this conclusion:

  • CASL only applies to messages that encourage participation in commercial activity;
  • CASL does not in any way affect the terms of any contract of sale, or otherwise interfere with contractual relations, as alleged by CompuFinder;
  • CASL does not regulate the content of CEMs other than requiring an unsubscribe mechanism and certain identification information, and senders are otherwise free to include any content they see fit; and
  • CASL does not displace or substantially duplicate any provincial legislation.

Provinces cannot replicate CASL

Having established the purpose of CASL, the next step is to assign the law to a “head of power”, either federal or provincial. CompuFinder attempted but failed to convince the Court that CASL falls within provincial jurisdiction under the Constitution over property and civil rights (s. 92(13)), and matters of a merely local or private nature in the province (s. 92(16)). The government relied on the general branch of the trade and commerce power under s. 91(2).

There is a five-part test for determining whether a federal law properly fits within the general trade and commerce power.

  1. The law must be part of a regulatory scheme;
  2. The scheme must be monitored by the continuing oversight of a regulatory agency;
  3. The law must be concerned with trade as a whole rather than with a particular industry;
  4. The legislation should be of a nature that provinces jointly or severally would be constitutionally incapable of enacting; and
  5. The failure to include one or more provinces or localities in a legislative scheme would jeopardize the successful operation of the scheme in other parts of the country.

Parts 1-3, straightforward and easily met in this case, are not worth discussing.

But the Court also found that CASL meets parts 4 and 5, which are always the most difficult.

On part 4, the Court concluded that although the provinces “possess the constitutional capacity to enact uniform legislation regulating unsolicited CEMs… there can be no assurance that the provinces could address these issues on a sustained basis because the provinces retain the unfettered ability of resiling from any interprovincial scheme” (para. 124). In other words, as long as one of the provinces is able to back out, the provinces are “constitutionally incapable” of acting.

The focus of part 5 is not whether the federal government is best positioned to legislate on a given matter (i.e., the optimal policy outcome), but whether the regulated matters “are essential in the national interest, transcend provincial interests and are truly national in importance and scope” (para. 125). The Court accepted the government’s arguments that federal legislation is “essential”, largely because spammers could “easily” move their operations to the most lenient province and send spam across borders.

Sensible result from an imperfect test

The Court’s analysis of the general trade and commerce power is not very satisfying.

On part 4, it seems like a big leap – even contradictory and illogical – to conclude that provinces are constitutionally incapable of implementing a regime just because one province may decide not to do so.

The part 5 conclusions aren’t any stronger. Even if several provinces failed to enact anti-spam legislation, therefore becoming havens for companies to spam the rest of Canada, laws in other jurisdictions would be enforceable against those companies. Provincial laws are enforced against out of province companies all of the time. So it’s hard to say that the absence of one or more provinces would not undermine the whole regime.

At the same time, it would be ludicrous to argue that Canadians would be better served by a patchwork of provincial anti-spam laws. Although the purpose of the appeal was to effectively “kill” CASL because provinces are unlikely to act, the implications of hypothetical provincial regulation are a nightmare. That would only make the problems associated with CASL (lack of clarity, over-regulation, legal risk, high compliance costs) even worse. So if we have to deal with anti-spam legislation, it is unquestionably preferable to have a single, federal law. This is the lens the FCA is looking through in this aspect of the case: whether anti-spam legislation fits within federal or provincial jurisdiction (not whether there should be a law at all).

But taken to its extreme, the five-part test sets a bar that is arguably impossible to meet. So the FCA is stuck with a flawed test, and some compromise (creative legal maneuvering) is necessary if the federal government is ever going to be able to rely on the general trade and commerce power.

Filed Under: CASL Tagged With: Federal Court of Appeal

Federal Court of Appeal to rule on the constitutionality of CASL

December 23, 2019 by Shaun Brown Leave a Comment

An appeal currently before the Federal Court of Appeal is testing the constitutionality of Canada’s Anti-Spam Legislation (CASL), and, by implication, the Personal Information Protection and Electronic Documents Act (PIPEDA). The appellant in 3510395 Canada Inc. v. The Attorney General of Canada claims that CASL falls outside the federal government’s legislative powers under the Constitution Act, 1867.

3510395 Canada Inc. is “CompuFinder”, the Quebec-based company that earned the first administrative monetary penalty under CASL with the use of “aggressive” email practices. After being penalized by CRTC staff for $1.1 million in March 2014, the company made representations to the Commission on the substance of the violations, as well as arguing that CASL is unconstitutional. On the substance, the Commission found that CompuFinder did commit most of the violations alleged, while reducing the penalty from $1.1 million to $200,000. The CRTC issued a separate decision finding that CASL is constitutional. CompuFinder appealed both decisions to the Federal Court of Appeal.

This post is only concerned with the constitutional aspect of the appeal, and, more specifically, whether it properly falls within the federal government’s constitutional authority (CompuFinder also argues that CASL violates the Charter, which raises entirely separate questions). CompuFinder has asked the Federal Court of Appeal to declare all of CASL unconstitutional and therefore of no force or effect.

The constitutional challenge

Sections 91 and 92 of The Constitution Act, 1867 distribute authority to legislate on various matters between the federal and provincial governments. The federal government has jurisdiction over things like criminal law, banking, railways, patents, and the military. The provincial governments have authority over the delivery of health care, schools, property and civil rights, among other areas of a more local nature.

Not surprisingly, the Constitution doesn’t make reference to things like “spam”, “email”, “internet”, or even “privacy”. In fact, the Constitution doesn’t refer specifically to many of the things that governments do, meaning that it’s often unclear exactly where jurisdiction lies for a given matter.

The federal government relies on subsection 91(2) of the Constitution as the constitutional basis for CASL, which provides the federal government with authority over the general regulation of trade affecting Canada as a whole. This is why CASL applies only to activities, like sending commercial electronic messages (CEMs) and installing computer programs, that occur “in the course of commercial activity“; any purported application to non-commercial activity would clearly fall outside the trade and commerce power.

When a dispute arises over the constitutionality of a law, a court must determine the true purpose of the law before assigning it to a head of power. The stated purpose of CASL, found in section 3, is “to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities“. CompuFinder argues in its Notice of Appeal that CASL goes beyond that purpose by regulating “the routine day-to­-day sending of commercial information within a province“, and that it “prescribes detailed, rigorous and inflexible contracting formalities that fall under the provincial power over property and civil rights“. CompuFinder also argues that CASL is really about “consumer protection”, which falls to the provinces as a matter of property and civil rights. This is not a far-fetched position.

Given the breadth of its wording, the general branch of the trade and commerce power has been carefully construed by the courts over the years to prevent its application from effectively “eviscerating” all provincial powers. The Supreme Court set a high bar for its application in General Motors of Canada Ltd. v. City National Leasing, 1989 CanLII 133 (SCC), that was arguably pushed even higher in Reference re Securities Act, 2011 SCC 66 (CanLII), in which the court rejected the federal government’s plan for a national securities regulator.

The Supreme Court has established a five-part test for determining whether a federal law properly fits within the general trade and commerce power, the most difficult requirement being that the provinces, acting alone or together, are incapable of achieving the legislative objective. It’s not about the optimal policy outcome (i.e., it doesn’t matter if the federal government could to it better), or even allowing the federal government to legislate because provinces refuse to act; it’s about whether the provinces are incapable of acting. This is a difficult test to pass.

PIPEDA remains untested

The Personal Information Protection and Electronic Documents Act (PIPEDA) is also based on the federal trade and commerce power. It applies to the collection, use and disclosure of personal information by organizations in the course of commercial activity, including federally-regulated organizations, as well as provincially-related organizations, except those in provinces that have privacy legislation deemed by the federal government to be “substantially similar”. To date this includes Alberta, B.C. and Quebec.

The application of PIPEDA to federally-regulated organizations is straightforward and uncontroversial. The constitutionality of PIPEDA’s application within the provinces, however, has been in question and remains untested since it was passed almost 20 years ago. It has avoided scrutiny only because, unlike CASL, it lacks penalties, and companies therefore do not have the same financial motivation to see it struck down.

After the Securities Reference in 2011, Michel Bastarache, a former Supreme Court Justice, published a paper in which he concluded that PIPEDA is “in fact and in form, the unilateral federal regulation of all private sector privacy matters in most provinces“, that is likely not a constitutional exercise of the trade and commerce power.

Decision due any day now

As the hearing in 3510395 Canada Inc. took place back in April 2019, a decision from the Federal Court of appeal should be published any day now. It’s impossible to predict what the court will decide, but either way it’s likely to be appealed to the Supreme Court. This case could be the beginning of a significant change in the Canadian privacy landscape, because, if CASL is not constitutional at the end of all this, then neither is PIPEDA.

Filed Under: CASL Tagged With: CASL, CompuFinder, Constitutionality, Federal Court of Appeal

OPC guidance on data transfers: status quo (for now)

September 27, 2019 by Shaun Brown Leave a Comment

Following a consultation process that has seen lots of twists and turns, the Office of the Privacy Commissioner of Canada (OPC) has now decided to stick with its 2009 position that organizations do not require consent to transfer personal information to third-parties for processing.

Here’s a brief recap of how we ended up at this point.

In 2009, following an investigation into a complaint about transfers of personal information to third-party processors located in the U.S., the OPC published a policy position that transfers to third-party processors are not “disclosures” under the Personal Information Protection and Electronic Documents Act, regardless of the processor’s location. Rather, the OPC concluded that such a transfer is a “use” (a point that I strongly disagree with, more on this here), and, specifically, a type of use for which consent is not required. The OPC advised that, among other things, organizations transferring personal information across borders must ensure an adequate level of protection and notify individuals of the transfer and that their information could be accessed by law enforcement agencies in the foreign jurisdiction.

In 2017, Equifax experienced a massive data breach, affecting more than 143 million individuals, including approximately 19,000 Canadians. The OPC’s investigation (the report was published in April of this year) found that Equifax Canada had failed to demonstrate adequate accountability over personal information transferred to its parent company, Equifax Inc., located in the U.S., which the OPC characterized as a “third party” to Equifax Canada. The OPC found that Equifax Canada should have obtained consent to transfer the personal information of Canadians to Equifax Inc.

At the same time the Equifax report of findings was published, the OPC also published a consultation document revisiting its 2009 policy position, stating that “that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.”

This, understandably, caused a near meltdown in the privacy community.

Then, speaking at the International Association of Privacy Professionals Canada Privacy Symposium May 22, Privacy Commissioner Daniel Therrien announced that the consultation would be suspended to allow the OPC to retool in light of the “Digital Charter,” which had been published by the Department of Innovation, Science and Economic Development the day before. Among other things, the Digital Charter provides a high-level outline of the federal government’s plan for amending PIPEDA.

While this announcement seemed like a potential end to the consultations, they came back to life with the OPC’s reframed discussion document, published June 11. The document requested feedback on a number of questions about how transborder data flows and transfers for processing should be addressed in the shorter and longer terms.

On Sept. 24, less than two months after the deadline for making submissions, the OPC announced that its 2009 policy position “will remain unchanged under the current law.” The OPC received a lot of submissions – 87 – the “vast majority” of which, according to the OPC, “took the view there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.”

So the OPC continues to hold the position that PIPEDA does not require consent to transfer personal information to third parties for processing. This is a very good thing, because a consent requirement would be disastrous for Canadian businesses. And the OPC should be commended for conducting a real consultation, actually listening to stakeholders, and doing it all relatively quickly.

This process has made it clear that the OPC thinks that consent should be required for transfers that occur across borders. Fortunately, however, given the nearly universal rejection of this idea, it seems very unlikely the government would choose to go this route.

Filed Under: PIPEDA, Privacy Commissioner of Canada, Transborder Data Flows Tagged With:

Our submission to the OPC consultation on transfers for processing

August 8, 2019 by Shaun Brown Leave a Comment

Between busy work schedules and attempts to squeeze some enjoyment out of the great summer weather, it’s not easy to find the time to write a submission to the Office of the Privacy Commissioner of Canada (OPC) consultation on transfers for processing. But we did it; not because we wanted to spend even more time indoors, but because this is a really important issue, and we wanted to be sure that our perspective was heard (our submission is here).

Until recently, the notion that a transfer of personal information for processing (regardless of the location of the processor) is not a disclosure, and does not require consent, seemed like a simple fact under PIPEDA that everyone acknowledged and accepted. It was also, in our view, intentional, reflecting one of the finer examples of foresight and wisdom demonstrated by the drafters of PIPEDA.

While we still believe this to be true, that the OPC may be trying to change this is concerning, and shows that you can never really take anything for granted in law. Here’s hoping that our submission (and, we assume, the many others with a similar perspective) is effective.

Filed Under: PIPEDA, Privacy Commissioner of Canada, Transborder Data Flows Tagged With: OPC Consultation, PIPEDA, Transborder Data Flows

  • Page 1
  • Page 2
  • Next Page »

Footer

EXPERT LEGAL SERVICES

135 Laurier Avenue West, Suite 100 Ottawa Ontario K1P 5J2
  • Home
  • About Us
  • Our Team
  • Blog
  • Privacy

Copyright © 2020 nNovation LLP. All Rights Reserved