Transfer for processing under PIPEDA a use, not a disclosure
(July 31, 2019, 8:49 AM EDT) — The key determination underlying the federal Office of the Privacy Commissioner’s June re-launch of its Consultation on transfers for processing is whether a transfer to a data processor under the Personal Information Protection and Electronic Documents Act (PIPEDA) is a use or a disclosure.
In its 2009 guidance document, Guidelines for Processing Personal Data across Borders, the OPC correctly described a transfer to a processor, as referred to in PIPEDA’s Accountability Principle, as a use by an organization, not to be confused with a disclosure. The OPC now suggests that its 2009 interpretation was incorrect and that a transfer is a disclosure. In the context of modern-day outsourcing and data processing relationships, the significance of the distinction is critical – a disclosure requires consent by data subjects whereas a transfer does not.
The OPC’s proposed new interpretation is not supported by principles of statutory interpretation – specifically consideration of the context in which the relevant terms are used and the intention of the relevant statutory provisions. Furthermore, it is not consistent with the accepted scheme of privacy protection reflected in PIPEDA and other Canadian private sector privacy laws, such as Alberta’s Personal Information Protection Act, or the rules laid down in the EU’s 1995 Data Protection Directive as carried forward into its successor, the General Data Protection Regulation (GDPR).
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8