nNovation LLP

Small Canadian regulatory law firm with a big presence

Privacy

Data Localization: An Exercise in Futility?

by Leave a Comment

Last week I presented on data localization at the IAPP Canada Privacy Symposium 2019 (my slides are here).

There are a mix of laws (BC and Nova Scotia), formal policies (federal, New Brunswick and Manitoba), in addition to other, less formal policies and practices among public bodies that restrict the flows of personal information beyond the borders of Canada. Although there are a few reasons for data localization requirements around the world, Canadian restrictions arose largely because of concerns about exposure to U.S. law enforcement agencies due to the changes to the Foreign Intelligence Surveillance Act (FISA) by the USA Patriot Act. This, of course, limits the ability of public bodies to use cloud-based and other service providers.

My view is that these restrictions are based on a few fundamental misconceptions: 1) FISA poses a meaningful threat to the privacy of Canadians (it does not); and 2) keeping data physically located in Canada eliminates this threat (it does not). For the most part, keeping the data physically located in Canada does nothing to insulate it from foreign demands for disclosure if the service provider is based in a foreign jurisdiction. However, in most cases, most of the time, personal information is still more secure if it is processed by a competent cloud-based service provider, regardless of its location.

The session generated quite a bit of discussion, although I expected more people to disagree with my position (a good portion of the room was filled with government employees and service providers who were frustrated by the restrictions). Interestingly, during another Symposium session, former Information and Privacy Commissioner for British Columbia David Loukidelis stated that the proliferation of data localization requirements throughout Canada is a concerning policy development. This is notable because Loukidelis conducted a seminal study on the Patriot Act in 2004 which contributed to the first legal data localization requirement being passed in B.C.

Why the Privacy Commissioner’s New Position on Transborder Dataflows Doesn’t Work

by Leave a Comment

The Office of the Privacy Commissioner (OPC) has, at least tentatively, revised its position on transborder data flows (TBDF). In a consultation published last month, the OPC claims that consent is now required for TBDF (consent must even be “express” in some cases). It also appears that the OPC is attempting to rewrite the Personal Information Protection and Electronic Documents Act (PIPEDA) by claiming that a “transfer” of personal information by an organization to a third-party service provider for processing is a “disclosure”.

Stakeholders are concerned; in fact, the TBDF Consultation has had the rare distinction of aligning privacy advocates and industry stakeholders on the same side of an issue (Michael Geist describes the OPC’s approach as “a dramatic reinterpretation of the law”).

Although there are practical reasons why the OPC’s new position will cause big challenges – it’s a prime example of a solution in search of a problem – I take a more conceptual approach here to explain why the new guidance doesn’t make sense from a legal perspective.

A transfer is not a disclosure

A transfer of personal information to a third-party service provider for processing under PIPEDA has, since at least 2009, been considered a “use” by the OPC under PIPEDA, not a disclosure. This is the case regardless of where the service provider is located.

Leaving aside for the moment whether a transfer is even a use, there’s a good reason why a transfer is not a disclosure. Principle 4.1.3 of Schedule 1 to PIPEDA states that “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” In The Personal Information Protection and Electronic Documents Act: An Annotated Guide, the authors provide the following commentary on Principle 4.1.3:

Clause 4.1.3 is important because it is the only area in the Act where transborder dataflow issues are addressed….The concept of custody and transfer is an important one, as opposed to disclosure, because when an organization discloses information, it must assure itself that it has the right to disclose, and once that is fulfilled and the disclosure has taken place securely, its responsibility is at an end.

However, if the information has been transferred for processing of any kind, and the organization expects to maintain an interest in the data, it retains responsibility and must use contractual or other means to provide a comparable level of protection[emphasis added].

This clearly explains why it doesn’t make sense to call a transfer a disclosure, as it misconstrues the meaning of a disclosure under PIPEDA. Once an organization discloses personal information, it is no longer accountable for the personal information that has been transferred. In other words, you can’t say that an organization has disclosed personal information, while at the same time claim that it is still has an interest in and remains accountable for that information.

The Annotated Guide, which was published in 2001 just after PIPEDA began coming into effect, carries considerable weight given that two of its four authors were directly involved in drafting and developing PIPEDA (Heather Black and Stephanie Perrin were at Justice Canada and Industry Canada, respectively). In the early years of PIPEDA this book was one of very few meaningful resources available.

If the OPC insists on calling a transfer a disclosure, it suggests that organizations somehow remain accountable for personal information post-disclosure in some cases, but not in others. To attempt to distinguish these cases based merely on the fact that a transfer occurs across borders is an arbitrary legal fiction.

But a transfer is a use, right? (No, it’s not)

While the authors of the Annotated Guide were clear that a transfer is not a disclosure under PIPEDA, they also did not state that a transfer is a use. This interpretation appears to come from the OPC. Guidelines on TBDF published back in 2009 state the following: “A “Transfer” is a use by the organization. It is not to be confused with a disclosure.

Referring to a transfer as a use avoids the issue of trying to create post-disclosure accountability for personal information, but it is also a strained interpretation that comes with its own conceptual problems.

In defining authority for the collection, use and disclosure of personal information, privacy legislation in Canada (in all sectors) focusses on “purposes”. The default rule under PIPEDA is that consent is required for the collection, use, or disclosure of personal information for most purposes, with narrowly defined exceptions for others. When obtaining consent, organizations must explain the purposes for which personal information is collected, used or disclosed, and limit collection, use and disclosure to personal information reasonably required for those purposes.

Public sector (and, to a slightly lesser extent, health information) privacy laws focus less on consent, and more on defining in legislation the specific purposes for which personal information can be collected, used and disclosed.

A transfer, as that concept is understood in Principle 4.1.3, is not a use in and of itself. Organizations do not collect personal information for the purpose of transferring it. They collect and use personal information for things like processing payments, delivering products and services, email marketing, profiling and tailoring ads and marketing campaigns to consumers, paying employees, etc. A transfer to a service provider is merely a product of decision by an organization about how to process personal information for those purposes. In other words, as a process to carry out a purpose, a transfer is a means to an end.

The Federal Court of Appeal acknowledged this distinction between process and purpose in 2017 in Toronto Real Estate Board (TREB) v. Commissioner of Competition. In determining the rights of brokerages to publish information about property listings on “Virtual Office Websites”, or “VOWs”, the court considered language in Ontario real estate listing agreements that provides real estate boards and brokerages with consent to “make….use of the information as the Brokerage and/or real estate board(s) deem appropriate, in connection with the listing, marketing and selling of real estate during the term of the listing and thereafter.” TREB attempted to argue that this did not allow for the distribution of listing information through VOWs, because it was a new method of distribution not explicitly mentioned in the listing agreement. The court rejected this argument, stating that

PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet….does not accord with the unequivocal language of the consent [para. 165].

Thus, the Federal Court of Appeal recognized that if an organization has consent to use personal information for a given purpose, it does not also require consent for the particular process(es) of how that purpose is carried out.

The OPC had it right the first time

In the well-known 2005 CIBC case summary, the OPC found that CIBC did not require consent to use foreign-based third party service providers, but that organizations should notify consumers that outsourcing arrangements could make personal information vulnerable to foreign demands for disclosure. It also reminded organizations of the requirement under the Accountability Principle to have appropriate measures in place to ensure the protection of personal information when outsourcing, regardless of the location of service providers. The OPC got it right in this case because it did not refer to the transfer as a use (or a disclosure).

The OPC’s new position, for the time being, would appear to only target transfers across borders. However, while some people may be uncomfortable about having their personal information processed in another country, according to the law, a transfer remains a transfer regardless of where the processing takes place. In other words, there is nothing substantively different about a transfer across borders that turns the transfer into a use, or disclosure, therefore triggering consent requirements.

It may be tempting to cede the point that a transfer is either a use or disclosure, so long as the OPC agrees that implied consent is acceptable (and surely it would need to be, especially given the Supreme Court’s broad interpretation of implied consent in RBC. v. Trang). However, for the many privacy professionals who need to interpret, understand and explain the meaning of privacy legislation to their clients on a daily basis, precision matters. Agreeing to twist legal concepts to settle the matter of the day will only cause bigger headaches down the road. If the OPC really wants to be able to tell organizations that they need consent for transfers of personal information, under any circumstance, it needs to convince the government to change the law.

(Edit: The Commissioner announced on May 22 that the OPC’s TBDF consultation “in its current form” has been “paused” following the announcement of the Digital Charter by Innovation, Science and Economic Development Canada).