OPC confirms that a transfer for processing under PIPEDA is a use
At the end of September, following a spring and summer of high drama – in which the federal Office of the Privacy Commissioner (OPC) initially announced a revision of its 2009 guidance regarding third party data processing, then reconsidered its position and undertook a consultation – the OPC announced no change. In essence, a transfer for processing will continue to be considered a use, not a disclosure, and will not require consent by individuals whose personal information is affected.
The OPC’s proposed revision
The proposed revised treatment of such transfers under PIPEDA would have required data collectors (organizations holding personal information for their own purposes) to obtain the consent of all individuals whose data they propose to transfer to a third party for processing. This revision in how PIPEDA is interpreted would have represented a diametrically opposed approach to that articulated in the OPC’s 2009 guidance, which clearly stated that such transfers are a use, not requiring individuals’ consent.
The OPC received 87 submissions in response to its consultation – possibly a record. Predominantly, the submissions took issue with the proposed new treatment, arguing that it ran counter to the clear language in PIPEDA’s Accountability Principle and, if adopted, would have played havoc with the routine third party processing operations of many organizations, not to mention the administrative nightmare that the requirements of obtaining and documenting such consents would have posed.
OPC’s 2009 guidance is confirmed
The OPC in its announcement acknowledged that different interpretations of the PIPEDA rule may exist – alluding to the “non-legal drafting” of Schedule 1, referred to in an early consideration of the law by the Federal Court of Appeal. Schedule 1, which contains the Canadian Standards Association’s Model Code for the Protection of Personal Information, sets out the basic privacy rules within PIPEDA, including the Accountability Principle. The OPC also referenced the court’s guidance that the statute should be applied with flexibility, common sense and pragmatism. It confirmed that in maintaining its existing guidance it will follow this pragmatic approach until the law is changed through statutory amendment.
Cross-border transfer disclosure requirements
Transfers of data to third party processors
The OPC has acknowledged that consent is not required to transfer personal information to a third party processor. However in its announcement concluding the consultation, the OPC directs attention to its guidance document, Guidelines for obtaining meaningful consent, in which it cites as a key element in obtaining consent, providing individuals with information regarding the third parties to whom their data may be transferred for purposes of processing. If the names of such parties are too numerous to list, then categories of such persons may be provided.
Future reform of PIPEDA
The OPC indicated that it would take into consideration those submissions received in its consultation that address reform of PIPEDA and in particular how the law more clearly could address transfers for processing and cross-border data flows. The OPC’s view is that cross-border data flows are not sufficiently protected from potential risks under PIPEDA and that amendments are required.
For more information please contact:
David Young 416-968-6286 email@example.com
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
© David Young Law 2019
 Mathew Englander v. Telus Communications Inc., 2004 FCA 387.
© David Young Law 2018
Read the Full PDF: OPC confirms that a transfer for processing under PIPEDA is a use.
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8