Under PIPEDA, the OPC introduced in an April 9, 2019 decision a requirement for an organization to obtain consent for outsourcing activities involving personal information to a service provider outside of Canada.
In a significant departure from its guidelines and decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA), the Privacy Commissioner of Canada (OPC) introduced in an April 9, 2019 decision a requirement for an organization to obtain consent for outsourcing activities involving personal information to a service provider outside of Canada. In light of this significant change of position, the OPC has launched a Consultation regarding transborder dataflows and issued a supplementary discussion document that includes a list of questions for stakeholders to address in their responses. The OPC is inviting stakeholders to submit their responses by June 4, 2019.
Previous Policy Position
The OPC’s previous position on cross-border data transfers, articulated in its 2009 guidelines and PIPEDA Case Summaries 2008-394, 2007-365 and 2005-313 was that organizations are not required to obtain consent to transfer personal information for the purpose of processing (including to a parent, subsidiary, third party service provider or cloud hosting service provider). Transfers of data for those purposes are not considered a “disclosure” but, rather, a “use” of the personal information by the organization, consistent with the purpose for which the information was collected. Under the OPC’s 2009 guidelines, organizations are simply required to be transparent and provide notice to individuals that their information will be transferred to a third party for processing, which can be achieved with appropriate explanations in a privacy policy. Under the accountability principle in Schedule 1 to PIPEDA, organizations remain responsible for personal information being processed by service providers and must require their service providers to afford the information a “comparable level of protection”, generally by entering into a service agreement that includes appropriate data security provisions.
Updated Policy Position
The OPC has now explained that it regards its earlier position as “likely not correct as a matter of law” and is advancing the view that all transfers of personal information for processing are disclosures that require consent. Based on this new interpretation, the OPC will require consent for all outsourcing of data processing activities to service providers, including processing that takes place in Canada. Express consent would be required in certain circumstances, including where there is no reasonable expectation that personal information would be transferred outside of Canada or where the information involved is sensitive, in accordance with the OPC’s guidelines for obtaining meaningful consent that came into force in 2018.
Implications and Consultation
A new requirement for consent to outsourcing could cause significant business, operational and administrative challenges for all organizations that outsource to service providers both inside and outside Canada, such as payment processors, cloud service providers, providers of human resources and marketing services. Canadian subsidiaries that rely on a foreign parent for services would also be affected. Obtaining consent before engaging in transfers of personal information to service providers could amount to a significant undertaking, especially given that organizations have designed their current practices to comply with the OPC’s previous position that consent was not required. A consent requirement may also affect procurement practices and raise issues of compliance with Canada’s trade agreements.
In its supplementary discussion document, the OPC asks stakeholders to address, among other issues:
- whether the principle of consent should apply to transfers to third parties for processing, including trans-border transfers;
- in what circumstances should consent to a transfer of data for processing be explicit or implicit;
- what should be the level of detail in the information given to the person affected;
- whether the proposed consent requirements significantly impact organizations, and if so how;
- whether notice about transfers of data for processing should name the third party processors; and
- whether the OPC’s new position is consistent with Canada’s obligations under international trade agreements (e.g. data localization).
Any individuals or organizations interested in these issues should consider preparing a submission. Submissions can be delivered to OPC-CPVPconsult2@priv.gc.ca before June 28, 2019. BLG is preparing a submission that addresses issues that have been raised concerning our clients’ businesses. We understand that submissions will not be published by the OPC, although it may post a summary of the submission it receives on its website.