The Office of the Privacy Commissioner of Canada has released a consultation paper that signals a major shift in its position on data transfers, indicating that it now believes that cross-border disclosures of personal information require prior consent. The approach is a significant reversal of longstanding policy that relied upon the accountability principle to ensure that organizations transferring personal information to third parties are ultimately responsible for safeguarding that information. In fact, OPC guidelines from January 2009 explicitly stated that “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”
The federal privacy commissioner now says that “a company that is disclosing personal information across a border, including for processing, must obtain consent”, adding that “it is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.” While this position is a preliminary one – the office is accepting comments in a consultation until June 4, 2019 – there are distinct similarities with the OPC’s approach on the right to be forgotten. In that instance, despite the absence of a right to be forgotten principle under Canadian law, the office simply decided that it was reading in a right to de-index search results into PIPEDA. The issue is currently before the courts.
In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform. Since PIPEDA’s inception, the accountability principle has been touted as a foundational aspect of the law, providing assurance that Canadians’ privacy is protected regardless of where it goes or who processes it. Yet the OPC seemingly now doubts that view, suggesting that there are risks associated with data that leaves the country.
The OPC is careful to note that it believes its position is consistent with Canada’s international trade obligations, but the issue could be subject to challenge. Article 14.11 of the CPTPP requires Canada (and all parties) to allow cross-border transfer of information by electronic means. The article states that:
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are required to achieve the objective.
The imposition of consent requirements for cross-border data transfers could be regarded as imposing restrictions greater than required to achieve the objective of privacy protection, given that PIPEDA has long been said to provide such protections through accountability without the need for this additional consent regime.
Regardless of the international trade implications, however, the OPC interpretation would have enormous implications for e-commerce and data flows with many organizations forced to rethink longstanding compliance policies. The proposal is sure to generate opposition with some understandably asking whether the issue would be more properly addressed by government policy within a national data strategy and privacy law reform, rather than an OPC guideline that if enacted is likely to end up in the Canadian courts.