Supplementary discussion document – Consultation on transborder dataflows
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Notice
Please note that this document has been superseded by Consultation on transfers for processing – Reframed discussion document. The text on this page is provided for historical reference, but has been archived to avoid any confusion.
On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) launched a consultation on transborder data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). Stakeholders have indicated that it would be useful to provide more detailed information with respect to the reasons that have led us to revisit our policy position on this issue. In order to support a meaningful consultation, we have developed this supplementary discussion document to explain the reasons for the change. We have also set out some additional questions to which we would appreciate responses.
Background to the consultation
In the OPC’s 2009 Guidelines for Processing Personal Data Across Borders (the “2009 Guidelines”), the OPC set out two principles:
- Transborder (or cross-border) transfers for processing are subject to the accountability principle. "Principle 1 places responsibility on an organization for protecting personal information under its control. Principle 4.1.3 of Schedule 1 of PIPEDA specifically recognizes that personal information may be transferred to third parties for processing. It also requires organizations to use contractual or other means to ‘provide a comparable level of protection while the information is being processed by the third party.’”
- “‘Transfer’ is a use by the organization. It is not to be confused with a disclosure.” Furthermore, “[a]ssuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”
Our change in position is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law. During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a “disclosure” is debatable and likely not correct as a matter of law. In our view, a transfer of personal information between one organization and another clearly fits within the generally accepted definition of “disclosure”: « make known, reveal » (Canadian Oxford English Dictionary).Footnote 1 This is also the meaning of the term “disclosure” in the Privacy Act, the other principal law of the Parliament of Canada in relation to the protection of personal information.Footnote 2
As such, it seems to us that the activity in question is at least a "disclosure" between the responsible organization and the third party (and possibly also a use for the responsible organization). To conclude that the activity is not a disclosure seems to us, with respect, to be an interpretation that is inconsistent with PIPEDA.
As a result, an organization must, in accordance with Principle 4.3, obtain consent for a transfer to a third party for processing, including for transborder transfers.
In addition, the Act makes clear that the accountability principle is an important safeguard for personal information transferred across borders for processing. It is one of the applicable principles, but it is not the only one. In our view, the consent principle as well as the openness principle, among others, also apply. No one principle excludes the application of the others.
That being said, the 2009 Guidelines already advised organizations that they must be transparent with respect to transborder transfers: "Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.” The 2009 Guidelines also note that this notice should ideally be provided at the time the information is collected.
The change in position by the OPC would require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.
Questions for Stakeholders
- In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
- Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
- What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
- In what circumstances should consent be implicit or explicit?
- What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
- Should the notice to the affected person name the third parties?
- Should the notice contain other pieces of information?
- Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
- If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
- What elements should be included in obtaining consent for transfers for processing that are not transborder?
- Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
- Any other comments or feedback you think may be helpful.
- Date modified: