OPC confirms that a transfer for processing under PIPEDA is a use
At the end of September, following a spring and summer of high drama – in which the federal Office of the Privacy Commissioner (OPC) initially announced a revision of its 2009 guidance regarding third party data processing, then reconsidered its position and undertook a consultation – the OPC announced no change. In essence, a transfer for processing will continue to be considered a use, not a disclosure, and will not require consent by individuals whose personal information is affected.
The OPC’s proposed revision
The proposed revised treatment of such transfers under PIPEDA[1] would have required data collectors (organizations holding personal information for their own purposes) to obtain the consent of all individuals whose data they propose to transfer to a third party for processing. This revision in how PIPEDA is interpreted would have represented a diametrically opposed approach to that articulated in the OPC’s 2009 guidance[2], which clearly stated that such transfers are a use, not requiring individuals’ consent.
The OPC received 87 submissions in response to its consultation – possibly a record. Predominantly, the submissions took issue with the proposed new treatment, arguing that it ran counter to the clear language in PIPEDA’s Accountability Principle and, if adopted, would have played havoc with the routine third party processing operations of many organizations, not to mention the administrative nightmare that the requirements of obtaining and documenting such consents would have posed.
OPC’s 2009 guidance is confirmed
The OPC in its announcement acknowledged that different interpretations of the PIPEDA rule may exist – alluding to the “non-legal drafting” of Schedule 1, referred to in an early consideration of the law by the Federal Court of Appeal[3]. Schedule 1, which contains the Canadian Standards Association’s Model Code for the Protection of Personal Information, sets out the basic privacy rules within PIPEDA, including the Accountability Principle. The OPC also referenced the court’s guidance that the statute should be applied with flexibility, common sense and pragmatism. It confirmed that in maintaining its existing guidance it will follow this pragmatic approach until the law is changed through statutory amendment.
Cross-border transfer disclosure requirements
In confirming that its guidance on transfers for processing remains unchanged, the OPC reiterated its best practice rule regarding transfers for processing across borders. Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. Organizations must do this in clear and understandable language, ideally at the time the information is collected[4]. In a recent case report[5], the OPC reviewed communication of such information in the privacy policy for a gift card program offered by Loblaw Companies Ltd. and determined it to be compliant with its reconfirmed guidance for cross-border transfers.
Transfers of data to third party processors
The OPC has acknowledged that consent is not required to transfer personal information to a third party processor. However in its announcement concluding the consultation, the OPC directs attention to its guidance document, Guidelines for obtaining meaningful consent, in which it cites as a key element in obtaining consent, providing individuals with information regarding the third parties to whom their data may be transferred for purposes of processing. If the names of such parties are too numerous to list, then categories of such persons may be provided.
Future reform of PIPEDA
The OPC indicated that it would take into consideration those submissions received in its consultation that address reform of PIPEDA and in particular how the law more clearly could address transfers for processing and cross-border data flows. The OPC’s view is that cross-border data flows are not sufficiently protected from potential risks under PIPEDA and that amendments are required.
For more information please contact:
David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
© David Young Law 2019
[1] Personal Information Protection and Electronic Documents Act.
[2] Guidelines for processing personal data across borders.
[3] Mathew Englander v. Telus Communications Inc., 2004 FCA 387.
[4]See Privacy and outsourcing for businesses, OPC, January 2014. It is understood that as a minimum the information should be contained in an organization’s privacy policy and preferably within notices directly connected to obtaining consent. See the comparable statutory rule under the Alberta Personal Information Protection Act (PIPA). That rule goes beyond the OPC’s guidance by requiring information about an organization’s policies and procedures for protection of data processed in a foreign jurisdiction and mandates communication of the information in the same manner as providing notice of the purposes for collection of personal information from an individual; PIPA, s. 13.1.
[5] PIPEDA Report of Findings #2019-003.
© David Young Law 2018
Read the Full PDF: OPC confirms that a transfer for processing under PIPEDA is a use.
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Tel. 416-968-6286
Mob. 416-318-5521
Email: David@DavidYoungLaw.ca