Privacy Policy Security Data Transfer Padlock Creative Commons Zero - CC0

Privacy Policy Security Data Transfer Padlock Creative Commons Zero - CC0


Canadian Privacy Commissioner Signals Major Shift in Approach on Cross-Border Data Transfers

The Office of the Privacy Commissioner of Canada has released a consultation paper that signals a major shift in its position on data transfers, indicating that it now believes that cross-border disclosures of personal information require prior consent. The approach is a significant reversal of longstanding policy that relied upon the accountability principle to ensure that organizations transferring personal information to third parties are ultimately responsible for safeguarding that information. In fact, OPC guidelines from January 2009 explicitly stated that “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”

The federal privacy commissioner now says that “a company that is disclosing personal information across a border, including for processing, must obtain consent”, adding that “it is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”  While this position is a preliminary one – the office is accepting comments in a consultation until June 4, 2019 – there are distinct similarities with the OPC’s approach on the right to be forgotten.  In that instance, despite the absence of a right to be forgotten principle under Canadian law, the office simply decided that it was reading in a right to de-index search results into PIPEDA. The issue is currently before the courts.

In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform. Since PIPEDA’s inception, the accountability principle has been touted as a foundational aspect of the law, providing assurance that Canadians’ privacy is protected regardless of where it goes or who processes it. Yet the OPC seemingly now doubts that view, suggesting that there are risks associated with data that leaves the country.

The OPC is careful to note that it believes its position is consistent with Canada’s international trade obligations, but the issue could be subject to challenge. Article 14.11 of the CPTPP requires Canada (and all parties) to allow cross-border transfer of information by electronic means. The article states that:

Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are required to achieve the objective.

The imposition of consent requirements for cross-border data transfers could be regarded as imposing restrictions greater than required to achieve the objective of privacy protection, given that PIPEDA has long been said to provide such protections through accountability without the need for this additional consent regime.

Regardless of the international trade implications, however, the OPC interpretation would have enormous implications for e-commerce and data flows with many organizations forced to rethink longstanding compliance policies. The proposal is sure to generate opposition with some understandably asking whether the issue would be more properly addressed by government policy within a national data strategy and privacy law reform, rather than an OPC guideline that if enacted is likely to end up in the Canadian courts.


  1. Devil's Advocate says:

    I’ve got a better idea. Just stop sharing your information.

    Ditch Facebook, Google, Twitter, Amazon, and all those that exploit your data and/or share it with others without your consent. Toss their apps, and block their trackers from connecting with you. Switch to encrypted and decentralized services.


    Let everyone who wants to stay in the “old bubble” keep fighting about how they’re going to deal with these sell-outs, and somehow convince them to give them back what they [thought they] had. Eventually, these legacy centralized models that depend on harvesting everyone’s data will bleed revenue and die.

    Companies, like Facebook and the rest, only have it coming to them. Their very business models have corrupted the internet environment, and their data mining has attracted all forms of 3rd-party interference, privacy invasion, spying, and now censorship ops from government and their intelligence agencies.

    Thanks to everyone being so cooperative with their info and devoted to a small number of centralized social and search networks, we now have a large majority of internet users funneled into a “narrow world” which they’re now trying to clamp down on and control, while still exploiting the data.

    Decentralized and unencrypted services only result in the “Big Brother” effect. They’re no longer an option.

    • Devil's Advocate says:

      ERROR: Last sentence, “Decentralized” should have been “Centralized”.

    • Heh, heh. No.

      And I hope you’re not suggesting there should be NO rules just because everyone can just not use these services.

      • Devil's Advocate says:

        Not even sure what you’re asking.

        “Rules” have nothing to do with what’s happening. Standards on what gets posted are now being imposed by self-interested groups – government, corporations, intelligence, and their “think tanks” – in order to remove or block that which goes against their desired narrative.

        That’s not making rules. It’s just censorship. The MSM gets to produce lots of blatantly false news, while anyone publishing any truth gets banned on Facebook and Twitter.

        Anyway, what rules do you think are needed, and where would you apply them? Part of my point was that people will soon stop using unencrypted and centralized services. How would anyone slap any rules on that which they don’t control or even be able to access?

  2. It’s not obvious that accountability can provide protections against a foreign security service operating under the laws of their country. I might well wish to remain in Canada, under the rule of law as it is interpreted here in PIPEDA.

  3. Pingback: News of the Week; April 10, 2019 – Communications Law at Allard Hall

  4. Appreciating the persistence you put into your site and detailed information you provide.
    It’s awesome to come across a blog every once in a while that isn’t the same out of date rehashed information. Fantastic read!
    I’ve saved your site and I’m including your RSS feeds to my Google account.

  5. Thanks for each of your efforts on this website.
    Debby take interest in carrying out investigation and
    it is simple to grasp why. Almost all hear all about
    the dynamic method you give rewarding thoughts through the
    website and in addition cause contribution from other people about
    this subject plus our favorite daughter is understanding a
    lot. Have fun with the remaining portion of the year.
    Your doing a tremendous job.

  6. Hello, its good paragraph on the topic of media print, we all
    know media is a impressive source of information.