• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
nNovation LLP

nNovation LLP

Small Canadian regulatory law firm with a big presence

  • Home
  • About Us
  • Our Team
    • Kim D.G. Alexander-Cook
    • Timothy M. Banks
    • Shaun Brown
    • Anne-Marie Hayden
    • Constantine Karbaliotis
    • Kris Klein
    • Dustin Moores
    • Florence So
  • Blog

Posted By: Shaun Brown September 27, 2019Category: PIPEDA

OPC guidance on data transfers: status quo (for now)

Following a consultation process that has seen lots of twists and turns, the Office of the Privacy Commissioner of Canada (OPC) has now decided to stick with its 2009 position that organizations do not require consent to transfer personal information to third-parties for processing.

Here’s a brief recap of how we ended up at this point.

In 2009, following an investigation into a complaint about transfers of personal information to third-party processors located in the U.S., the OPC published a policy position that transfers to third-party processors are not “disclosures” under the Personal Information Protection and Electronic Documents Act, regardless of the processor’s location. Rather, the OPC concluded that such a transfer is a “use” (a point that I strongly disagree with, more on this here), and, specifically, a type of use for which consent is not required. The OPC advised that, among other things, organizations transferring personal information across borders must ensure an adequate level of protection and notify individuals of the transfer and that their information could be accessed by law enforcement agencies in the foreign jurisdiction.

In 2017, Equifax experienced a massive data breach, affecting more than 143 million individuals, including approximately 19,000 Canadians. The OPC’s investigation (the report was published in April of this year) found that Equifax Canada had failed to demonstrate adequate accountability over personal information transferred to its parent company, Equifax Inc., located in the U.S., which the OPC characterized as a “third party” to Equifax Canada. The OPC found that Equifax Canada should have obtained consent to transfer the personal information of Canadians to Equifax Inc.

At the same time the Equifax report of findings was published, the OPC also published a consultation document revisiting its 2009 policy position, stating that “that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.”

This, understandably, caused a near meltdown in the privacy community.

Then, speaking at the International Association of Privacy Professionals Canada Privacy Symposium May 22, Privacy Commissioner Daniel Therrien announced that the consultation would be suspended to allow the OPC to retool in light of the “Digital Charter,” which had been published by the Department of Innovation, Science and Economic Development the day before. Among other things, the Digital Charter provides a high-level outline of the federal government’s plan for amending PIPEDA.

While this announcement seemed like a potential end to the consultations, they came back to life with the OPC’s reframed discussion document, published June 11. The document requested feedback on a number of questions about how transborder data flows and transfers for processing should be addressed in the shorter and longer terms.

On Sept. 24, less than two months after the deadline for making submissions, the OPC announced that its 2009 policy position “will remain unchanged under the current law.” The OPC received a lot of submissions – 87 – the “vast majority” of which, according to the OPC, “took the view there was no requirement under [PIPEDA] to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.”

So the OPC continues to hold the position that PIPEDA does not require consent to transfer personal information to third parties for processing. This is a very good thing, because a consent requirement would be disastrous for Canadian businesses. And the OPC should be commended for conducting a real consultation, actually listening to stakeholders, and doing it all relatively quickly.

This process has made it clear that the OPC thinks that consent should be required for transfers that occur across borders. Fortunately, however, given the nearly universal rejection of this idea, it seems very unlikely the government would choose to go this route.

Share this article:

Previous Post OPC wins again in Google right to de-indexing case
Next Post Loblaw’s errors are overblown

Related Posts

February16

Limitation of liability in B2B contracts valid under Quebec civil law

January28

Maturing the Privacy Impact Assessment

January07

10 crisis communications tips for privacy breaches

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Adequacy
  • CASL
  • Class Actions
  • Communications
  • Competition Act
  • Genetic Privacy
  • IT Contracts
  • Legislation
  • Ontario
  • PIPEDA
  • Privacy
  • Privacy Breach
  • Privacy Commissioner of Canada
  • Privacy Impact Assessment
  • Privacy Reform
  • Privacy Shield
  • Quebec
  • Right to be forgotten
  • Smart Cities
  • Supreme Court
  • Transborder Data Flows
  • Uncategorized

Recent Posts

Limitation of liability in B2B contracts valid under Quebec civil law

February 16, 2022

Maturing the Privacy Impact Assessment

January 28, 2022

10 crisis communications tips for privacy breaches

January 7, 2022

Tag Cloud

Access to Information Act CASL Class Actions CompuFinder Constitutionality CRTC Cybersecurity Equifax data breach Federal Court of Appeal google National Security OPC Consultation PIPEDA Privacy Privacy Commissioner of Canada Smart Cities spam Transborder Data Flows

Footer

EXPERT LEGAL SERVICES

135 Laurier Avenue West, Suite 100 Ottawa Ontario K1P 5J2
  • Home
  • About Us
  • Our Team
  • Blog
  • Privacy

Copyright © 2020 nNovation LLP. All Rights Reserved