nNovation LLP

Small Canadian regulatory law firm with a big presence

Transborder Data Flows

Schrems II: Impact on Data Flows with Canada

by Leave a Comment

On 16 July 2020 the Court of Justice of the European Union (CJEU) decision (Schrems II) sent a shockwave through the privacy, tech and business communities with its determination that the Privacy Shield is no longer a valid basis for transferring EU personal data to the US. Though focused on the US, this decision has the potential to impact Canadian businesses in a number of ways.

We will not reiterate what has already been described in numerous articles available through the IAPP about the decision itself, its history and lead-up; an excellent Canadian-oriented perspective is provided by Colin Bennett here. For what Canadian companies need to do about it, some background about Canada and its adequacy determination is needed. We will be developing some further articles to address Canadian concerns and provide practical tips, and we hope you will follow along with us.

The Limits of Adequacy

Canada’s adequacy determination in Commission Decision 2002/2/EC was limited to data that was under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). This means organizations that: (1) fall under the federal jurisdiction, such as banks, airlines, and telecommunications: (2) works declared to be federal works or undertakings: and finally (3) commercial activities, whether under federal or provincial law, involving the collection, use or disclosure of personal information and where a province has not passed substantially similar legislation. Note, that employee data, other than those organizations falling under (1) and (2) of PIPEDA’s ambit, is therefore not included in the adequacy determination.

To date, Alberta, British Columbia, and Quebec have privacy legislation that takes commercial activities in those provinces out of the federal jurisdiction through the ‘substantial similarity’ exemption to PIPEDA. Federal privacy law defers to provincial law if a province meets the substantial similarity test, providing a baseline of privacy regulation across Canada. This division of authority is important, because for provinces recognized as substantially similar, their laws have not been given the stamp of ‘adequacy.’ The Commission Decision however explicitly calls out that ‘substantial similarity’ exclusion only applies to processing activities within the province in question. Once processing involves another province or country, PIPEDA will apply.

Employment data transfers in cases falling under (3) above, should always have been done pursuant to another international data transfer mechanism, such as Standard Contractual Clauses (SCCs), rather that adequacy because as long as the data remains within the province, it will be under the exclusive jurisdiction of that province, not PIPEDA, and therefore cannot benefit from the adequacy decision. Many European lawyers are quite aware of this fine point though many in Canada have been surprised by the distinction. What was anticipated in the original EU decision would be a process by which Canadian federal recognition of substantial similarity would lead to an adequacy determination which would address these gaps in adequacy; this process was never actually developed.

The consequence is that a careful review is required to determine if adequacy applies to the personal data that a controller or processor will be processing in Canada. If it does not, an SCC is required; and this then requires the same kind of risk-based analysis that our US counterparts are now undertaking.

There are some fundamental differences between that risk assessment in the US and that in Canada. This will be subject of a future article, but in short, while Canada is a member of the “Five Eyes,” there are different legal redress mechanisms, Supreme Court of Canada decisions, and other considerations which may make the risk considerably lower than equivalent transfers to the US.

Impacts on Canadian Data Flows

The impact for Canada lies in three main areas:

  1. Companies that rely on Standard Contractual Clauses (SCCs) rather than Canada’s adequacy determination, to process data of European residents either as a data controller or processor must immediately undertake a formal risk assessment that addresses the risk associated with transfer of the personal data being processed, to Canada. The nature of that risk assessment and what companies can rely upon, as mentioned, will be subject of an article in its own right. However, documenting this risk analysis, as well as identifying and implementing appropriate risk mitigations, is essential to preserving those data transfers; see this interview with Abigail expanding on this assessment.
  2. Canadian companies that relied, indirectly, on Privacy Shield certification to process Europeans’ data in the US: The Privacy Shield determination solely applied to cover EU to US data transfers. Perhaps hopefully, some Canadian entities may have relied on their parent’s or subsidiaries’ or even processors’ Privacy Shield certification to address onward transfers to the US, in lieu of a formal agreement. As Privacy Shield is obviously no longer valid, these companies clearly must repair this misapprehension.
  3. Canadian companies that rely on service providers, entities or cloud services based in the US or other third countries, to process EU personal data (“onward transfers”): While the Schrems II decision does not attack or undermine current adequacy determinations, onward transfers have been always been a sticking point for the EU in relation to Canadian adequacy, based on the concern that onward transfers from Canada to the US or elsewhere are not subject to the same restrictions as they are when made directly from the EU. Canadian companies need to ensure they have undertaken the appropriate risk analysis, and documented and put in place SCCs or their equivalent, whether relying on adequacy or not. This applies whether the transfer is made to the US or any other non-adequate country. GDPR requirements follow the data: a Canadian controller must ensure the processing can continue to comply with GDPR ‘down the chain’, regardless of where the data is transferred. And a Canadian processor’s duty to process the personal data only on the controller’s instructions extends to any international data transfers.  Canadian companies relying on US sub-processors should expect a call in the near term.

Canadian accountability principles require (as recently reinforced by the Equifax decision) some formality around transfers out of Canada of Canadians’ personal information. (It is arguable that the Equifax decision, rather than being one explained by consent principles, is really about accountability and the need to formally ensure that a data controller (to use EU parlance) remains in effective control over data processing activities by its processor). Complying with PIPEDA’s accountability principles then can be part-and-parcel of addressing the challenges arising from Schrems II in relation to onward transfers.

So to summarize needed actions by Canadian companies:

  • If you are processing data as controller, or as a processor for a client with EU personal data, and relying on onward transfers, first do a risk assessment; and then assuming the risks are addressable, put in place SCCs between yourself and any organization doing processing for you, if in a non-adequate country;
  • If you are relying on adequacy for transfers from the EU to Canada, be sure you are correct in doing so; and if you cannot rely on adequacy, again, conduct a risk assessment and document the transfer with an SCC.

Some further action steps for Canadian companies which we will also address in future articles. We should not rest on our adequacy laurels. Be aware that Canada, as well as all other countries in the ‘league of the adequate’ will have their adequacy determinations reviewed by 2022. We can likely anticipate this fall hearing from the EU concerning Canada’s adequacy status

To avoid the potential for disruption as our friends in the US are experiencing, it is important to consider what fall-backs your organization would rely upon to ensure that data transfers from the EU are not disrupted, as we have not been good at updating our privacy legislation quickly. Canadian companies need to consider how to switch to SCCs, or find alternative mechanisms. This is not going to be easy or quick, and so planning now is essential.

We also need to address privacy reform. Enlightened self-interest would dictate that Canadian businesses press our governments to act on privacy reform – for our own sakes, certainly first as Canada’s needs should certainly drive our discussion – but also to preserve Canada’s trade relationships with the EU, which in these uncertain times, is more important than ever.

OPC guidance on data transfers: status quo (for now)

by Leave a Comment

Following a consultation process that has seen lots of twists and turns, the Office of the Privacy Commissioner of Canada (OPC) has now decided to stick with its 2009 position that organizations do not require consent to transfer personal information to third-parties for processing.

Here’s a brief recap of how we ended up at this point.

In 2009, following an investigation into a complaint about transfers of personal information to third-party processors located in the U.S., the OPC published a policy position that transfers to third-party processors are not “disclosures” under the Personal Information Protection and Electronic Documents Act, regardless of the processor’s location. Rather, the OPC concluded that such a transfer is a “use” (a point that I strongly disagree with, more on this here), and, specifically, a type of use for which consent is not required. The OPC advised that, among other things, organizations transferring personal information across borders must ensure an adequate level of protection and notify individuals of the transfer and that their information could be accessed by law enforcement agencies in the foreign jurisdiction.

In 2017, Equifax experienced a massive data breach, affecting more than 143 million individuals, including approximately 19,000 Canadians. The OPC’s investigation (the report was published in April of this year) found that Equifax Canada had failed to demonstrate adequate accountability over personal information transferred to its parent company, Equifax Inc., located in the U.S., which the OPC characterized as a “third party” to Equifax Canada. The OPC found that Equifax Canada should have obtained consent to transfer the personal information of Canadians to Equifax Inc.

At the same time the Equifax report of findings was published, the OPC also published a consultation document revisiting its 2009 policy position, stating that “that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.

This, understandably, caused a near meltdown in the privacy community.

Then, speaking at the International Association of Privacy Professionals Canada Privacy Symposium May 22, Privacy Commissioner Daniel Therrien announced that the consultation would be suspended to allow the OPC to retool in light of the “Digital Charter,” which had been published by the Department of Innovation, Science and Economic Development the day before. Among other things, the Digital Charter provides a high-level outline of the federal government’s plan for amending PIPEDA.

While this announcement seemed like a potential end to the consultations, they came back to life with the OPC’s reframed discussion document, published June 11. The document requested feedback on a number of questions about how transborder data flows and transfers for processing should be addressed in the shorter and longer terms.

On Sept. 24, less than two months after the deadline for making submissions, the OPC announced that its 2009 policy position “will remain unchanged under the current law.” The OPC received a lot of submissions – 87 – the “vast majority” of which, according to the OPC, “took the view there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

So the OPC continues to hold the position that PIPEDA does not require consent to transfer personal information to third parties for processing. This is a very good thing, because a consent requirement would be disastrous for Canadian businesses. And the OPC should be commended for conducting a real consultation, actually listening to stakeholders, and doing it all relatively quickly.

This process has made it clear that the OPC thinks that consent should be required for transfers that occur across borders. Fortunately, however, given the nearly universal rejection of this idea, it seems very unlikely the government would choose to go this route.

Our submission to the OPC consultation on transfers for processing

by Leave a Comment

Between busy work schedules and attempts to squeeze some enjoyment out of the great summer weather, it’s not easy to find the time to write a submission to the Office of the Privacy Commissioner of Canada (OPC) consultation on transfers for processing. But we did it; not because we wanted to spend even more time indoors, but because this is a really important issue, and we wanted to be sure that our perspective was heard (our submission is here).

Until recently, the notion that a transfer of personal information for processing (regardless of the location of the processor) is not a disclosure, and does not require consent, seemed like a simple fact under PIPEDA that everyone acknowledged and accepted. It was also, in our view, intentional, reflecting one of the finer examples of foresight and wisdom demonstrated by the drafters of PIPEDA.

While we still believe this to be true, that the OPC may be trying to change this is concerning, and shows that you can never really take anything for granted in law. Here’s hoping that our submission (and, we assume, the many others with a similar perspective) is effective.

Clarity on the Privacy Commissioner’s Consultation on Transborder Data Flows

by Leave a Comment

I (and many other privacy lawyers I’m sure) have been asked countless times this past week for clarity on the Office of the Privacy Commissioner’s consultation process regarding transborder data flows and the transfer of personal information for processing purposes. I’m humbled that people think I somehow know what to do or what to say; however, all I can do is provide my best interpretation of what’s going on and why.

For background, in case you missed it, the OPC issued its Equifax Report of Findings a few weeks ago and, at the same time, proposed a new interpretation of PIPEDA that changed the office’s position on transborder data flows. A transfer to a third party outside of the country for processing purposes was now going to be considered a disclosure – one requiring some sort of consent mechanism.

Before finalizing their position, Commissioner Therrien, as he has been known to do since taking up the mantle of Privacy Commissioner, wanted to consult more broadly with stakeholders about their proposed change in position. This resulted in a number of organizations, advocacy groups, businesses and individuals mobilizing efforts with a view of eventually providing submissions that might have influenced the final outcome.

Then, last week, the Department of Industry, Science and Economic Development (ISED, the government Ministry responsible for PIPEDA), issued some sort of commitment to modernize and amend PIPEDA in a number of significant ways.  The Digest last week had an article about it if you missed it. This (somewhat of a) commitment to change the law could very well have an impact on how Canada deals with the issue of transborder data flows and the issue of whether consent is required for processing information in this way.

Recognizing that this entire issue was therefore subject to legislative reform, Commissioner Therrien announced at last week’s Symposium during his Annual Address to the Profession, that he was suspending his consultation process so that he could restructure it in light of some of ISED’s proposals.

As of today, we are waiting to see from the OPC what their revised consultation process is going to look like.  I personally think it might get subsumed with the larger consultation process ISED has begun on PIPEDA reform. What we know for sure, however, is that if you already have a submission, the OPC has said that you can provide it to them and that they will consider it going forward.

So, all that to say, there’s a bit of uncertainty surrounding this issue.  That being said, I think it’s fair to say that there’s a bit of uncertainty when it comes to all of privacy regulation in Canada more broadly.  Apart from the transborder data flow issue, ISED’s proposals to amend PIPEDA might result in a completely different regulatory landscape that doesn’t look anything like the one we’ve got now. So, in my mind, everything seems to be a moving target. Nineteen years ago, my colleagues and I published The Law of Privacy in Canada. It was borne of the idea that privacy regulation in Canada was about to dramatically change and that people would want to learn about it. At this point, my sense is that we’re at a similar tipping point today. I certainly foresee a lot of updates to my book in the near future!

Data Localization: An Exercise in Futility?

by Leave a Comment

Last week I presented on data localization at the IAPP Canada Privacy Symposium 2019 (my slides are here).

There are a mix of laws (BC and Nova Scotia), formal policies (federal, New Brunswick and Manitoba), in addition to other, less formal policies and practices among public bodies that restrict the flows of personal information beyond the borders of Canada. Although there are a few reasons for data localization requirements around the world, Canadian restrictions arose largely because of concerns about exposure to U.S. law enforcement agencies due to the changes to the Foreign Intelligence Surveillance Act (FISA) by the USA Patriot Act. This, of course, limits the ability of public bodies to use cloud-based and other service providers.

My view is that these restrictions are based on a few fundamental misconceptions: 1) FISA poses a meaningful threat to the privacy of Canadians (it does not); and 2) keeping data physically located in Canada eliminates this threat (it does not). For the most part, keeping the data physically located in Canada does nothing to insulate it from foreign demands for disclosure if the service provider is based in a foreign jurisdiction. However, in most cases, most of the time, personal information is still more secure if it is processed by a competent cloud-based service provider, regardless of its location.

The session generated quite a bit of discussion, although I expected more people to disagree with my position (a good portion of the room was filled with government employees and service providers who were frustrated by the restrictions). Interestingly, during another Symposium session, former Information and Privacy Commissioner for British Columbia David Loukidelis stated that the proliferation of data localization requirements throughout Canada is a concerning policy development. This is notable because Loukidelis conducted a seminal study on the Patriot Act in 2004 which contributed to the first legal data localization requirement being passed in B.C.

Why the Privacy Commissioner’s New Position on Transborder Dataflows Doesn’t Work

by Leave a Comment

The Office of the Privacy Commissioner (OPC) has, at least tentatively, revised its position on transborder data flows (TBDF). In a consultation published last month, the OPC claims that consent is now required for TBDF (consent must even be “express” in some cases). It also appears that the OPC is attempting to rewrite the Personal Information Protection and Electronic Documents Act (PIPEDA) by claiming that a “transfer” of personal information by an organization to a third-party service provider for processing is a “disclosure”.

Stakeholders are concerned; in fact, the TBDF Consultation has had the rare distinction of aligning privacy advocates and industry stakeholders on the same side of an issue (Michael Geist describes the OPC’s approach as “a dramatic reinterpretation of the law”).

Although there are practical reasons why the OPC’s new position will cause big challenges – it’s a prime example of a solution in search of a problem – I take a more conceptual approach here to explain why the new guidance doesn’t make sense from a legal perspective.

A transfer is not a disclosure

A transfer of personal information to a third-party service provider for processing under PIPEDA has, since at least 2009, been considered a “use” by the OPC under PIPEDA, not a disclosure. This is the case regardless of where the service provider is located.

Leaving aside for the moment whether a transfer is even a use, there’s a good reason why a transfer is not a disclosure. Principle 4.1.3 of Schedule 1 to PIPEDA states that “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” In The Personal Information Protection and Electronic Documents Act: An Annotated Guide, the authors provide the following commentary on Principle 4.1.3:

Clause 4.1.3 is important because it is the only area in the Act where transborder dataflow issues are addressed….The concept of custody and transfer is an important one, as opposed to disclosure, because when an organization discloses information, it must assure itself that it has the right to disclose, and once that is fulfilled and the disclosure has taken place securely, its responsibility is at an end.

However, if the information has been transferred for processing of any kind, and the organization expects to maintain an interest in the data, it retains responsibility and must use contractual or other means to provide a comparable level of protection[emphasis added].

This clearly explains why it doesn’t make sense to call a transfer a disclosure, as it misconstrues the meaning of a disclosure under PIPEDA. Once an organization discloses personal information, it is no longer accountable for the personal information that has been transferred. In other words, you can’t say that an organization has disclosed personal information, while at the same time claim that it is still has an interest in and remains accountable for that information.

The Annotated Guide, which was published in 2001 just after PIPEDA began coming into effect, carries considerable weight given that two of its four authors were directly involved in drafting and developing PIPEDA (Heather Black and Stephanie Perrin were at Justice Canada and Industry Canada, respectively). In the early years of PIPEDA this book was one of very few meaningful resources available.

If the OPC insists on calling a transfer a disclosure, it suggests that organizations somehow remain accountable for personal information post-disclosure in some cases, but not in others. To attempt to distinguish these cases based merely on the fact that a transfer occurs across borders is an arbitrary legal fiction.

But a transfer is a use, right? (No, it’s not)

While the authors of the Annotated Guide were clear that a transfer is not a disclosure under PIPEDA, they also did not state that a transfer is a use. This interpretation appears to come from the OPC. Guidelines on TBDF published back in 2009 state the following: “A “Transfer” is a use by the organization. It is not to be confused with a disclosure.

Referring to a transfer as a use avoids the issue of trying to create post-disclosure accountability for personal information, but it is also a strained interpretation that comes with its own conceptual problems.

In defining authority for the collection, use and disclosure of personal information, privacy legislation in Canada (in all sectors) focusses on “purposes”. The default rule under PIPEDA is that consent is required for the collection, use, or disclosure of personal information for most purposes, with narrowly defined exceptions for others. When obtaining consent, organizations must explain the purposes for which personal information is collected, used or disclosed, and limit collection, use and disclosure to personal information reasonably required for those purposes.

Public sector (and, to a slightly lesser extent, health information) privacy laws focus less on consent, and more on defining in legislation the specific purposes for which personal information can be collected, used and disclosed.

A transfer, as that concept is understood in Principle 4.1.3, is not a use in and of itself. Organizations do not collect personal information for the purpose of transferring it. They collect and use personal information for things like processing payments, delivering products and services, email marketing, profiling and tailoring ads and marketing campaigns to consumers, paying employees, etc. A transfer to a service provider is merely a product of decision by an organization about how to process personal information for those purposes. In other words, as a process to carry out a purpose, a transfer is a means to an end.

The Federal Court of Appeal acknowledged this distinction between process and purpose in 2017 in Toronto Real Estate Board (TREB) v. Commissioner of Competition. In determining the rights of brokerages to publish information about property listings on “Virtual Office Websites”, or “VOWs”, the court considered language in Ontario real estate listing agreements that provides real estate boards and brokerages with consent to “make….use of the information as the Brokerage and/or real estate board(s) deem appropriate, in connection with the listing, marketing and selling of real estate during the term of the listing and thereafter.” TREB attempted to argue that this did not allow for the distribution of listing information through VOWs, because it was a new method of distribution not explicitly mentioned in the listing agreement. The court rejected this argument, stating that

PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet….does not accord with the unequivocal language of the consent [para. 165].

Thus, the Federal Court of Appeal recognized that if an organization has consent to use personal information for a given purpose, it does not also require consent for the particular process(es) of how that purpose is carried out.

The OPC had it right the first time

In the well-known 2005 CIBC case summary, the OPC found that CIBC did not require consent to use foreign-based third party service providers, but that organizations should notify consumers that outsourcing arrangements could make personal information vulnerable to foreign demands for disclosure. It also reminded organizations of the requirement under the Accountability Principle to have appropriate measures in place to ensure the protection of personal information when outsourcing, regardless of the location of service providers. The OPC got it right in this case because it did not refer to the transfer as a use (or a disclosure).

The OPC’s new position, for the time being, would appear to only target transfers across borders. However, while some people may be uncomfortable about having their personal information processed in another country, according to the law, a transfer remains a transfer regardless of where the processing takes place. In other words, there is nothing substantively different about a transfer across borders that turns the transfer into a use, or disclosure, therefore triggering consent requirements.

It may be tempting to cede the point that a transfer is either a use or disclosure, so long as the OPC agrees that implied consent is acceptable (and surely it would need to be, especially given the Supreme Court’s broad interpretation of implied consent in RBC. v. Trang). However, for the many privacy professionals who need to interpret, understand and explain the meaning of privacy legislation to their clients on a daily basis, precision matters. Agreeing to twist legal concepts to settle the matter of the day will only cause bigger headaches down the road. If the OPC really wants to be able to tell organizations that they need consent for transfers of personal information, under any circumstance, it needs to convince the government to change the law.

(Edit: The Commissioner announced on May 22 that the OPC’s TBDF consultation “in its current form” has been “paused” following the announcement of the Digital Charter by Innovation, Science and Economic Development Canada).