Canadian Privacy developments – update #2

New OPC consultation on transfers for processing

As reported last month, the federal Office of the Privacy Commissioner (OPC) suspended its original Consultation on transborder dataflows, initiated following its investigation report into the 2017 Equifax data breach.  As part of that consultation, the OPC had proposed re-characterizing data transfers undertaken in the context of service provider relationships, including across borders, so that such transfers would be treated as a “disclosures” under the federal privacy law, PIPEDA[1], requiring consent by data subjects, together with an explanation of the nature of any such relationship.

The OPC now has announced a new consultation on transfers for processing, intending to reframe its initial consultation in the context of the federal government’s Digital Charter published on May 21, which included an intention to clarify the PIPEDA provisions relating to transfers for processing.

The OPC indicates that since legislative change could take years, it must continue its re-examination of how the current law respecting transfers for processing – including cross-border transfers – should be applied.  The new consultation reiterates the OPC’s concerns regarding the application of PIPEDA to processing and transborder data flows and seeks to provide further support for its position that transfers should be considered “disclosures” under the legislation requiring the consent.  However, the OPC indicates that it wants to receive feedback from stakeholders before deciding whether to maintain that new interpretation.

In the context of discussing – and seeking stakeholder feedback on – future amendments to PIPEDA, the consultation document focuses on accountability for cross-border transfers, the issue that the OPC addressed in some detail in its Equifax investigation report.  In this regard, the OPC identifies potential changes to PIPEDA that could assist in ensuring cross-border transfers are compliant, including expanding its authority to proactively inspect organizational practices, adoption of an adequacy regime such as under the EU’s GDPR, or adoption of a regime of standard contractual clauses.  The OPC also states that in circumstances where personal information is transferred to jurisdictions involving significant potential privacy risks, obtaining user consent should be considered.  Finally, the OPC indicates that if other means – such as the potential options it suggests – are not adopted, consent still may be required.

The OPC invites responses to its new consultation, to be submitted by August 6, 2019.

Privacy for political parties

In the context of the federal election scheduled for this fall, some changes in the laws governing the protection of privacy by political parties will come into effect.  Most importantly, amendments to the Canada Elections Act made under Bill C-76, the Elections Modernization Act, will require parties to have privacy policies that address – and provide disclosure of – key information collection and use practices.

The Bill C-76 amendments have been almost universally criticized as an inadequate response to the anticipated challenges to electoral integrity in today’s digital universe.  Furthermore, despite urgings from many quarters including an all-party recommendation by the House of Commons ETHI Committee[2] to adopt formal privacy protection legislation in time for this fall’s election, Parliament failed to do so.  However, notwithstanding this context, it is instructive to consider how these new rules will apply and may be expected to be complied with by the parties.

The new rules require that parties must – by June 30, 2019 – publish privacy policies containing the following specific information:

  • the types of personal information collected and the means used to collect that information;
  • the party’s uses of personal information;
  • the party’s security safeguards for personal information;
  • training given to employees who have access to personal information;
  • the party’s practices for online information collection, including through cookies; and
  • contact information for a person who can answer questions regarding the privacy policy.

These required disclosures go beyond what any of the parties currently have in their privacy policies.  In this regard, reference may be made to a guidance document published by the OPC in conjunction with the Chief Electoral Officer (CEO), Guidance for federal political parties on protecting personal information, setting out examples of the information that should be included in the parties’ policies.

Of particular interest will be how the parties respond to the requirement to disclose their practices for collecting personal information online.  In the typical private sector privacy policy, this heading addresses collection of information through the use of cookies on the organization’s own web site and, to a certain extent, collection by data tracking through behavioral advertising techniques.  Typically, private sector policies do not address collection through social media monitoring, mobile apps and other similar data tracking sources.  However, the OPC/CEO’s guidance makes clear that disclosure of such collection practices is expected, together with cookie collection.  Clearly, the legislation should not be interpreted narrowly to apply only to a party’s own data collection methodologies but should be interpreted to include disclosure of its practices regarding the collection of information from any online source.

There are no sanctions under the legislation for parties misstating disclosures in their new privacy policies.  However, the media, social activists and voters generally should be able to scrutinize compliance with these new policies and, potentially, hold the parties to account if their disclosures are found to be incomplete or inaccurate.

Note:    The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.

[1] Personal Information Protection and Electronic Documents Act.

[2] House of Commons Standing Committee on Access to Information, Privacy and Ethics

© David Young Law 2018
Read the Full PDF:  Transfers for processing under PIPEDA: a transfer is a use, not a disclosure

David Young Law

Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Tel. 416-968-6286
Mob. 416-318-5521