nNovation LLP

Small Canadian regulatory law firm with a big presence


Warning: count(): Parameter must be an array or an object that implements Countable in /home/privacy4/public_html/nnovation.com/wp-content/themes/genesis-sample/functions.php on line 341

Transborder Data Flows

OPC guidance on data transfers: status quo (for now)

by Leave a Comment

Following a consultation process that has seen lots of twists and turns, the Office of the Privacy Commissioner of Canada (OPC) has now decided to stick with its 2009 position that organizations do not require consent to transfer personal information to third-parties for processing.

Here’s a brief recap of how we ended up at this point.

In 2009, following an investigation into a complaint about transfers of personal information to third-party processors located in the U.S., the OPC published a policy position that transfers to third-party processors are not “disclosures” under the Personal Information Protection and Electronic Documents Act, regardless of the processor’s location. Rather, the OPC concluded that such a transfer is a “use” (a point that I strongly disagree with, more on this here), and, specifically, a type of use for which consent is not required. The OPC advised that, among other things, organizations transferring personal information across borders must ensure an adequate level of protection and notify individuals of the transfer and that their information could be accessed by law enforcement agencies in the foreign jurisdiction.

In 2017, Equifax experienced a massive data breach, affecting more than 143 million individuals, including approximately 19,000 Canadians. The OPC’s investigation (the report was published in April of this year) found that Equifax Canada had failed to demonstrate adequate accountability over personal information transferred to its parent company, Equifax Inc., located in the U.S., which the OPC characterized as a “third party” to Equifax Canada. The OPC found that Equifax Canada should have obtained consent to transfer the personal information of Canadians to Equifax Inc.

At the same time the Equifax report of findings was published, the OPC also published a consultation document revisiting its 2009 policy position, stating that “that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.

This, understandably, caused a near meltdown in the privacy community.

Then, speaking at the International Association of Privacy Professionals Canada Privacy Symposium May 22, Privacy Commissioner Daniel Therrien announced that the consultation would be suspended to allow the OPC to retool in light of the “Digital Charter,” which had been published by the Department of Innovation, Science and Economic Development the day before. Among other things, the Digital Charter provides a high-level outline of the federal government’s plan for amending PIPEDA.

While this announcement seemed like a potential end to the consultations, they came back to life with the OPC’s reframed discussion document, published June 11. The document requested feedback on a number of questions about how transborder data flows and transfers for processing should be addressed in the shorter and longer terms.

On Sept. 24, less than two months after the deadline for making submissions, the OPC announced that its 2009 policy position “will remain unchanged under the current law.” The OPC received a lot of submissions – 87 – the “vast majority” of which, according to the OPC, “took the view there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.

So the OPC continues to hold the position that PIPEDA does not require consent to transfer personal information to third parties for processing. This is a very good thing, because a consent requirement would be disastrous for Canadian businesses. And the OPC should be commended for conducting a real consultation, actually listening to stakeholders, and doing it all relatively quickly.

This process has made it clear that the OPC thinks that consent should be required for transfers that occur across borders. Fortunately, however, given the nearly universal rejection of this idea, it seems very unlikely the government would choose to go this route.

Our submission to the OPC consultation on transfers for processing

by Leave a Comment

Between busy work schedules and attempts to squeeze some enjoyment out of the great summer weather, it’s not easy to find the time to write a submission to the Office of the Privacy Commissioner of Canada (OPC) consultation on transfers for processing. But we did it; not because we wanted to spend even more time indoors, but because this is a really important issue, and we wanted to be sure that our perspective was heard (our submission is here).

Until recently, the notion that a transfer of personal information for processing (regardless of the location of the processor) is not a disclosure, and does not require consent, seemed like a simple fact under PIPEDA that everyone acknowledged and accepted. It was also, in our view, intentional, reflecting one of the finer examples of foresight and wisdom demonstrated by the drafters of PIPEDA.

While we still believe this to be true, that the OPC may be trying to change this is concerning, and shows that you can never really take anything for granted in law. Here’s hoping that our submission (and, we assume, the many others with a similar perspective) is effective.

Clarity on the Privacy Commissioner’s Consultation on Transborder Data Flows

by Leave a Comment

I (and many other privacy lawyers I’m sure) have been asked countless times this past week for clarity on the Office of the Privacy Commissioner’s consultation process regarding transborder data flows and the transfer of personal information for processing purposes. I’m humbled that people think I somehow know what to do or what to say; however, all I can do is provide my best interpretation of what’s going on and why.

For background, in case you missed it, the OPC issued its Equifax Report of Findings a few weeks ago and, at the same time, proposed a new interpretation of PIPEDA that changed the office’s position on transborder data flows. A transfer to a third party outside of the country for processing purposes was now going to be considered a disclosure – one requiring some sort of consent mechanism.

Before finalizing their position, Commissioner Therrien, as he has been known to do since taking up the mantle of Privacy Commissioner, wanted to consult more broadly with stakeholders about their proposed change in position. This resulted in a number of organizations, advocacy groups, businesses and individuals mobilizing efforts with a view of eventually providing submissions that might have influenced the final outcome.

Then, last week, the Department of Industry, Science and Economic Development (ISED, the government Ministry responsible for PIPEDA), issued some sort of commitment to modernize and amend PIPEDA in a number of significant ways.  The Digest last week had an article about it if you missed it. This (somewhat of a) commitment to change the law could very well have an impact on how Canada deals with the issue of transborder data flows and the issue of whether consent is required for processing information in this way.

Recognizing that this entire issue was therefore subject to legislative reform, Commissioner Therrien announced at last week’s Symposium during his Annual Address to the Profession, that he was suspending his consultation process so that he could restructure it in light of some of ISED’s proposals.

As of today, we are waiting to see from the OPC what their revised consultation process is going to look like.  I personally think it might get subsumed with the larger consultation process ISED has begun on PIPEDA reform. What we know for sure, however, is that if you already have a submission, the OPC has said that you can provide it to them and that they will consider it going forward.

So, all that to say, there’s a bit of uncertainty surrounding this issue.  That being said, I think it’s fair to say that there’s a bit of uncertainty when it comes to all of privacy regulation in Canada more broadly.  Apart from the transborder data flow issue, ISED’s proposals to amend PIPEDA might result in a completely different regulatory landscape that doesn’t look anything like the one we’ve got now. So, in my mind, everything seems to be a moving target. Nineteen years ago, my colleagues and I published The Law of Privacy in Canada. It was borne of the idea that privacy regulation in Canada was about to dramatically change and that people would want to learn about it. At this point, my sense is that we’re at a similar tipping point today. I certainly foresee a lot of updates to my book in the near future!

Data Localization: An Exercise in Futility?

by Leave a Comment

Last week I presented on data localization at the IAPP Canada Privacy Symposium 2019 (my slides are here).

There are a mix of laws (BC and Nova Scotia), formal policies (federal, New Brunswick and Manitoba), in addition to other, less formal policies and practices among public bodies that restrict the flows of personal information beyond the borders of Canada. Although there are a few reasons for data localization requirements around the world, Canadian restrictions arose largely because of concerns about exposure to U.S. law enforcement agencies due to the changes to the Foreign Intelligence Surveillance Act (FISA) by the USA Patriot Act. This, of course, limits the ability of public bodies to use cloud-based and other service providers.

My view is that these restrictions are based on a few fundamental misconceptions: 1) FISA poses a meaningful threat to the privacy of Canadians (it does not); and 2) keeping data physically located in Canada eliminates this threat (it does not). For the most part, keeping the data physically located in Canada does nothing to insulate it from foreign demands for disclosure if the service provider is based in a foreign jurisdiction. However, in most cases, most of the time, personal information is still more secure if it is processed by a competent cloud-based service provider, regardless of its location.

The session generated quite a bit of discussion, although I expected more people to disagree with my position (a good portion of the room was filled with government employees and service providers who were frustrated by the restrictions). Interestingly, during another Symposium session, former Information and Privacy Commissioner for British Columbia David Loukidelis stated that the proliferation of data localization requirements throughout Canada is a concerning policy development. This is notable because Loukidelis conducted a seminal study on the Patriot Act in 2004 which contributed to the first legal data localization requirement being passed in B.C.

Why the Privacy Commissioner’s New Position on Transborder Dataflows Doesn’t Work

by Leave a Comment

The Office of the Privacy Commissioner (OPC) has, at least tentatively, revised its position on transborder data flows (TBDF). In a consultation published last month, the OPC claims that consent is now required for TBDF (consent must even be “express” in some cases). It also appears that the OPC is attempting to rewrite the Personal Information Protection and Electronic Documents Act (PIPEDA) by claiming that a “transfer” of personal information by an organization to a third-party service provider for processing is a “disclosure”.

Stakeholders are concerned; in fact, the TBDF Consultation has had the rare distinction of aligning privacy advocates and industry stakeholders on the same side of an issue (Michael Geist describes the OPC’s approach as “a dramatic reinterpretation of the law”).

Although there are practical reasons why the OPC’s new position will cause big challenges – it’s a prime example of a solution in search of a problem – I take a more conceptual approach here to explain why the new guidance doesn’t make sense from a legal perspective.

A transfer is not a disclosure

A transfer of personal information to a third-party service provider for processing under PIPEDA has, since at least 2009, been considered a “use” by the OPC under PIPEDA, not a disclosure. This is the case regardless of where the service provider is located.

Leaving aside for the moment whether a transfer is even a use, there’s a good reason why a transfer is not a disclosure. Principle 4.1.3 of Schedule 1 to PIPEDA states that “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.” In The Personal Information Protection and Electronic Documents Act: An Annotated Guide, the authors provide the following commentary on Principle 4.1.3:

Clause 4.1.3 is important because it is the only area in the Act where transborder dataflow issues are addressed….The concept of custody and transfer is an important one, as opposed to disclosure, because when an organization discloses information, it must assure itself that it has the right to disclose, and once that is fulfilled and the disclosure has taken place securely, its responsibility is at an end.

However, if the information has been transferred for processing of any kind, and the organization expects to maintain an interest in the data, it retains responsibility and must use contractual or other means to provide a comparable level of protection[emphasis added].

This clearly explains why it doesn’t make sense to call a transfer a disclosure, as it misconstrues the meaning of a disclosure under PIPEDA. Once an organization discloses personal information, it is no longer accountable for the personal information that has been transferred. In other words, you can’t say that an organization has disclosed personal information, while at the same time claim that it is still has an interest in and remains accountable for that information.

The Annotated Guide, which was published in 2001 just after PIPEDA began coming into effect, carries considerable weight given that two of its four authors were directly involved in drafting and developing PIPEDA (Heather Black and Stephanie Perrin were at Justice Canada and Industry Canada, respectively). In the early years of PIPEDA this book was one of very few meaningful resources available.

If the OPC insists on calling a transfer a disclosure, it suggests that organizations somehow remain accountable for personal information post-disclosure in some cases, but not in others. To attempt to distinguish these cases based merely on the fact that a transfer occurs across borders is an arbitrary legal fiction.

But a transfer is a use, right? (No, it’s not)

While the authors of the Annotated Guide were clear that a transfer is not a disclosure under PIPEDA, they also did not state that a transfer is a use. This interpretation appears to come from the OPC. Guidelines on TBDF published back in 2009 state the following: “A “Transfer” is a use by the organization. It is not to be confused with a disclosure.

Referring to a transfer as a use avoids the issue of trying to create post-disclosure accountability for personal information, but it is also a strained interpretation that comes with its own conceptual problems.

In defining authority for the collection, use and disclosure of personal information, privacy legislation in Canada (in all sectors) focusses on “purposes”. The default rule under PIPEDA is that consent is required for the collection, use, or disclosure of personal information for most purposes, with narrowly defined exceptions for others. When obtaining consent, organizations must explain the purposes for which personal information is collected, used or disclosed, and limit collection, use and disclosure to personal information reasonably required for those purposes.

Public sector (and, to a slightly lesser extent, health information) privacy laws focus less on consent, and more on defining in legislation the specific purposes for which personal information can be collected, used and disclosed.

A transfer, as that concept is understood in Principle 4.1.3, is not a use in and of itself. Organizations do not collect personal information for the purpose of transferring it. They collect and use personal information for things like processing payments, delivering products and services, email marketing, profiling and tailoring ads and marketing campaigns to consumers, paying employees, etc. A transfer to a service provider is merely a product of decision by an organization about how to process personal information for those purposes. In other words, as a process to carry out a purpose, a transfer is a means to an end.

The Federal Court of Appeal acknowledged this distinction between process and purpose in 2017 in Toronto Real Estate Board (TREB) v. Commissioner of Competition. In determining the rights of brokerages to publish information about property listings on “Virtual Office Websites”, or “VOWs”, the court considered language in Ontario real estate listing agreements that provides real estate boards and brokerages with consent to “make….use of the information as the Brokerage and/or real estate board(s) deem appropriate, in connection with the listing, marketing and selling of real estate during the term of the listing and thereafter.” TREB attempted to argue that this did not allow for the distribution of listing information through VOWs, because it was a new method of distribution not explicitly mentioned in the listing agreement. The court rejected this argument, stating that

PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet….does not accord with the unequivocal language of the consent [para. 165].

Thus, the Federal Court of Appeal recognized that if an organization has consent to use personal information for a given purpose, it does not also require consent for the particular process(es) of how that purpose is carried out.

The OPC had it right the first time

In the well-known 2005 CIBC case summary, the OPC found that CIBC did not require consent to use foreign-based third party service providers, but that organizations should notify consumers that outsourcing arrangements could make personal information vulnerable to foreign demands for disclosure. It also reminded organizations of the requirement under the Accountability Principle to have appropriate measures in place to ensure the protection of personal information when outsourcing, regardless of the location of service providers. The OPC got it right in this case because it did not refer to the transfer as a use (or a disclosure).

The OPC’s new position, for the time being, would appear to only target transfers across borders. However, while some people may be uncomfortable about having their personal information processed in another country, according to the law, a transfer remains a transfer regardless of where the processing takes place. In other words, there is nothing substantively different about a transfer across borders that turns the transfer into a use, or disclosure, therefore triggering consent requirements.

It may be tempting to cede the point that a transfer is either a use or disclosure, so long as the OPC agrees that implied consent is acceptable (and surely it would need to be, especially given the Supreme Court’s broad interpretation of implied consent in RBC. v. Trang). However, for the many privacy professionals who need to interpret, understand and explain the meaning of privacy legislation to their clients on a daily basis, precision matters. Agreeing to twist legal concepts to settle the matter of the day will only cause bigger headaches down the road. If the OPC really wants to be able to tell organizations that they need consent for transfers of personal information, under any circumstance, it needs to convince the government to change the law.

(Edit: The Commissioner announced on May 22 that the OPC’s TBDF consultation “in its current form” has been “paused” following the announcement of the Digital Charter by Innovation, Science and Economic Development Canada).