The Office of the Privacy Commissioner of Canada (OPC) is revisiting its policy position on transborder data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). This includes not only cross border data transfers between controllers and processors, but also other cross border disclosures of personal information between organizations.
The OPC is committed to consulting with stakeholders on changes to its policy positions. This document aims to explain how the OPC’s approach on cross border data flows, including transborder transfers for processing, has evolved and to solicit feedback from interested parties.
Under PIPEDA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. Naturally, other disclosures between organizations that are not in a controller/processor relationship, including cross border disclosures, also require consent.
For consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including instances when they are located in another country, and the associated risks. When determining the form of consent (express or implied), companies will need to consider the sensitivity of the information and individuals’ reasonable expectations. We believe individuals would generally expect to know whether and where their personal information may be transferred or otherwise disclosed to an organization outside Canada.
Organizations that have obtained consent to transfer an individual’s personal information across a border in the context of processing will generally remain accountable for the information following its transfer. As stated in PIPEDA’s accountability principle (4.1), the controller will still be required to use contractual or other means to provide a comparable level of protection while the information is being processed.
The OPC’s 2009 guidelines stated there are different approaches to protecting personal information that is being transferred for processing. The guidelines went on to suggest that “in contrast to (the European Union’s) state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy.”
While it is true that Canada does not have an adequacy regime and that PIPEDA in part regulates cross border data processing through the accountability principle, nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements. Therefore, as a matter of law, consent is required. Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.
Organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process. In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localization), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.
We have considered the implications of our position in the context of cross-border trade and the importance of information flows for the purpose of facilitating commerce. In our view, this position is consistent with Canada’s international trade obligations.
Stakeholders are encouraged to review the following key points which expand upon our position:
A company that is disclosing personal information across a border, including for processing, must obtain consent. Individuals must be given the opportunity to exercise their legal right to consent to disclosures across borders, regardless of whether these are transfers for processing or other types of disclosures. When information is disclosed between organizations, absent an exemption in PIPEDA, consent is required.
Under PIPEDA, the form of consent required depends on the sensitivity of the information at issue and the individual’s reasonable expectations in the circumstances. Underlying the contextual analysis of both sensitivity and reasonable expectations is the risk of harm to the individual. Where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied.
It is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country. Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.
Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders. As we state in our consent guidance, organizations must make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service. Depending on the circumstances, a transfer for processing may well be integral to the delivery of a service and in such cases, organizations are not obligated to provide an alternative. Nonetheless, by being provided with clear and adequate information about the nature, purpose and consequence of any disclosure of their personal information across borders, individuals will be able to make an informed decision about whether to consent to the disclosure and therefore do business with the organization.
When disclosing personal information to a third party for processing, a company does not relinquish control of the information. That being said, business relationships can be very complex and determining which organization has personal information “under its control” needs to be assessed on a case-by-case basis, and informed by factors such as relevant contractual arrangements, commercial realities, as well as evolving business models and shifting roles. For instance, if an organization that is a processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of another organization and is thereby acting as an organization “in control” of the information.
An organization that processes personal information on behalf of another organization may still have obligations under the Act in respect of the personal information in its possession or custody, as an organization that collects, uses or discloses personal information in the course of commercial activities.
The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements. We welcome input from interested parties on our updated policy position, as well as on specific areas for which related guidance would be most needed.
This update to the OPC’s policy position will impact a number of existing guidance documents on our website. These will be marked with a notice as we work to update the affected text.
About the OPC
The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights.