Transfers for processing under PIPEDA: a transfer is a use, not a disclosure
The OPC’s new Consultation on transfers for processing
The Office of the Privacy Commissioner (OPC), in its 2009 guidance document, Guidelines for Processing Personal Data across Borders, correctly described a transfer to a data processor, as referred to in the PIPEDA Accountability Principle[1], as a use by an organization, not to be confused with a disclosure. The OPC now, in its new Consultation on transfers for processing, suggests that its 2009 interpretation was incorrect and that a transfer is a disclosure. In the context of modern-day outsourcing and data processing relationships, the significance of the distinction is that a disclosure requires consent (for stated purposes) by the data subject whereas a transfer does not.
The OPC’s proposed new interpretation is not supported by accepted principles of statutory interpretation – specifically consideration of the context in which the relevant terms are used and the intention of the relevant statutory provisions[2]. Furthermore, it is not consistent with the understood and accepted scheme of privacy protection reflected in PIPEDA and other Canadian private sector privacy laws, as they originate in the rules laid down in the EU’s 1995 Data Protection Directive and carried forward into the General Data Protection Regulation (GDPR).
Statutory context distinguishes between transfers and disclosures
The plain wording of PIPEDA and its context distinguish between transfers and disclosures. The two terms are used separately and distinctively, by intention. Understanding of the intended meaning of the term “transfer” is drawn from within Principle 1 – Accountability. That principle stipulates and makes clear that an organization is responsible for personal information under its control or possession, including – and meaning – information transferred to a third party for processing. In other words, information so transferred remains within the control and possession of the organization and that organization is responsible for ensuring that the third party provides protection for the information while processed by it. The term “disclosure” is not used to describe a transfer for processing. As indicated by the OPC’s 2009 guidance document, such transfers are simply a “use”, limited to the purposes for which the information was originally collected.
A disclosure of personal information under PIPEDA – and under other relevant Canadian privacy laws as well as international laws such as the GDPR – moves, or shares, control and possession of information by the organization originally holding it (the “controller” under the GDPR) to or with another organization which is considered then to have “collected” the information. The second organization must have the individual data subject’s consent to collect the information (and the disclosing organization must have obtained that consent in order to disclose it). The purpose of the consent requirement is to enable the data subject to determine whether they accept the change of control and possession to the second organization. Once disclosed in this manner, the second organization (the new “controller”) becomes subject to all of the PIPEDA rules respecting use and disclosure of that information, as well as the accountability rule[3]. By contrast, a transfer of information for processing under the Accountability Principle, by the plain meaning and interpretation of that principle, does not change control or possession of the information and that control and possession remains within the organization transferring the information[4].
By contrast, a use of information is an activity undertaken by the organization that is primarily responsible for that information under the Accountability Principle. That principle makes it clear that such responsibility includes ensuring adequate protection for the information when the information is provided (i.e. transferred) toa third party for processing. The transfer to the third party could be characterized as a form of agency relationship whereby the “agent” does not acquire any ownership or control, but simply is authorized to perform certain services on behalf of the organization. This understanding of the relationship between the organization and its third party processor is clear from the plain meaning of section 4.1.3 of Principle 1.
PIPEDA’s rule for transfers to service providers is consistent with provincial and international privacy laws
This characterization of the relationship between an organization and its contracted service providers is consistent with – and is reflected in – other Canadian private sector privacy laws[5] and personal health information protection laws[6]. A transfer understood in this manner contrasts with a “disclosure” under PIPEDA which implies the transfer of control, possession and responsibility, as described above.
This framework and understanding of the respective responsibilities of organizations and their contracted service providers is also consistent with the comparable framework articulated in the GDPR. That law stipulates that notice to data subjects regarding the processing of their data must include information regarding the identity of the controller and the nature of the processing but does not extend to providing information regarding contracted processors, or requiring consent to transfer of information to such processors. Controllers are required to enter into appropriately protective agreements with their processors and remain responsible for information while in the custody of processors. In other words, the control and responsibility character of the information does not change – the contracted processor relationship is invisible to the data subject.
Conclusion – a transfer is a use, not a disclosure
The OPC supports its argument to include a transfer as a disclosure by reference to the dictionary definition and to other privacy legislation. However it is clear from the rules of statutory interpretation[7] that, as a minimum, the meaning must be derived in the context in which terms are used, not simply by dictionary definitions read in isolation from that context[8]. Furthermore, other privacy legislation does not provide any clear guidance to support a conclusion that, for PIPEDA purposes, a transfer is considered a disclosure. Instead, it is predominantly consistent with the understood application of the transfer for processing rule[9], as reflected in the OPC’s 2009 guidance.
The OPC invites responses to its new consultation, to be submitted by August 6, 2019.
© David Young Law 2019 mike
Read the PDF: Transfers for processing under PIPEDA: a transfer is a use, not a disclosure
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Tel. 416-968-6286
Mob. 416-318-5521
Email: David@DavidYoungLaw.ca
[1] Personal Information Protection and Electronic Documents Act, Schedule 1.
[2] See: Ruth Sullivan, University of Ottawa; Statutory Interpretation in the Supreme Court of Canada.
[3] In most such disclosure transactions, the disclosing entity does not seek to continue any control over the information once received by the receiving organization. However in some instances where the discloser has a continuing interest in the integrity and security of the information, such as in the health sector where two-way information flows can occur, “data sharing agreements” may be entered into between the organizations, stipulating certain minimum protective standards for both organizations.
[4] See also Perrin, Flaherty and Rankin, the Personal Information Protection and Electronic Documents Act: An Annotated Guide, as mentioned in the OPC document.
[5] The Alberta Personal Information Protection Act expressly includes the terminology, “transfers to a service provider” (s. 13.1 (1)) and contains no mention of transfers to a service provider as disclosures not requiring consent, as is provided in the BC Personal Information Protection Act. In other words, the Act considers transfers to service providers outside the scope of a “disclosure”, not requiring any special consent exemption. While the BC PIPA does provide an exemption for disclosure, it can be argued that that provision alone does not exclusively encompass transfers to service providers and that such transfers should be treated as under the Alberta PIPA.
[6] For example, Ontario’s Personal Health Information Protection Act, 2004.
[7] See note 2, above.
[8] Contrary to the OPC document, there is no definition of the term “disclosure” in the Privacy Act; the reference in the relevant footnote in the OPC document is to the Treasury Board Directive on Privacy Practices.
[9] See note 5, above.
© David Young Law 2018 mike
Read the Full PDF: Transfers for processing under PIPEDA- a transfer is a use, not a disclosure
David Young Law
Suite 3500, 2 Bloor Street East, Hudson’s Bay Centre,
Toronto ON M4W 1A8
Tel. 416-968-6286
Mob. 416-318-5521
Email: David@DavidYoungLaw.ca