Privacy Blue by Richard Patterson (CC BY 2.0)

Privacy Blue by Richard Patterson (CC BY 2.0)


Rewriting Canadian Privacy Law: Commissioner Signals Major Change on Cross-Border Data Transfers

Faced with a decades-old private-sector privacy law that is no longer fit for the purpose in the digital age, the Office of the Privacy Commissioner of Canada (OPC) has embarked on a dramatic reinterpretation of the law premised on incorporating new consent requirements. My Globe and Mail op-ed notes the strained interpretation arose last Tuesday when the OPC released a consultation paper signalling a major shift in its position on cross-border data transfers.

Canadian privacy law has long relied on an “accountability principle” to ensure that organizations transferring personal information across borders to third parties are ultimately responsible for safeguarding that information. The Canadian approach maintained that it did not matter where the personal information was stored or who was involved in its processing, since the ultimate responsibility lay with the first organization to collect the data.

In fact, the OPC’s January 2009 guidelines on cross-border data transfers explicitly stated that “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.” That guidance enabled Canadian companies to outsource data-processing activities to other jurisdictions so long as they used contractual provisions to guarantee appropriate safeguards.

The federal privacy commissioner seems ready to reverse that long-standing approach, stating that “a company that is disclosing personal information across a border, including for processing, must obtain consent.” It adds that “it is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”

While the OPC position is a preliminary one – the office is accepting comments in a consultation until June 4 – there are distinct similarities with its attempt to add the right to be forgotten (the European privacy rule that allows individuals to request removal of otherwise lawful content about themselves from search results) into Canadian law. In that instance, despite the absence of a right-to-be-forgotten principle in the statute, the OPC simply ruled that it was reading in a right to de-index search results into PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act). The issue is currently being challenged before the courts.

In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform.

The OPC is careful to note that it believes its position is consistent with Canada’s international trade obligations, but the issue could be subject to challenge. The Comprehensive and Progressive Trade Agreement for Trans-Pacific Partnership (CPTPP), the major Asia-based trade agreement that Canada implemented last year, features a commitment to allow cross-border transfers of information by electronic means.

The treaty limits restrictions on the open-border principle for data transfers, stipulating that any limitations may not be arbitrary, discriminatory or a disguised restriction on trade. Moreover, any limits cannot be greater than those required to achieve a legitimate policy objective. The Canada-U.S.-Mexico Agreement contains similar language.

The imposition of consent requirements for cross-border data transfers could be regarded as a non-tariff barrier to trade that impose restrictions greater than those required to achieve the objective of privacy protection. The interpretation is particularly vulnerable given that PIPEDA has long been said to provide such protections without the need for this additional consent regime.

Regardless of the international trade implications, however, the OPC approach would have enormous implications for e-commerce and data flows, with many organizations forced to rethink well-established data practices and compliance policies. Indeed, companies thinking of servicing the Canadian market would be forced to consider whether they must limit data transfers, likely adding cost and complexity to digital operations.

As Canadians express mounting concerns about their privacy online, tougher enforcement measures and better safeguards may be needed. Yet those issues are more properly addressed by government policy within a national data strategy and privacy law reform, not an OPC guideline that if enacted is likely to spark an avalanche of legal challenges.


  1. Kelly Manning says:

    Data flows to the USA and other backwater privacy countries post the post risk.

    We have seen a flight of robocalling overseas as Canada and the USA enact legislation against those, but many local companies are clearly commercially linked to the the overseas scofflaw “duct cleaners” etc.

    Back in the 1990s Privacy Journal predicted a conflict between lax USA regulations and Council of Europe Privacy legislation about cross border data flows. USA residents are in the ironic position of having more privacy protection when they use a bank card on an European trip than they do back in the USA.

    The idea that companies can hang on to data about you long after you have ceased to have any business or other relationship with them is so 1984.

  2. How much of that consent is really voluntary when you are dealing with banks, telecoms or other big corporations. Can you refuse consent and still obtain service?

    • Kelly Manning says:

      You should be able to refuse consent.

      The most common take on “What is The Cloud?” is usually something such as “The Cloud is ‘Someone Else’s Computer / Storage’/” I usually add “, probably in another Legal Jurisdiction”.

      To me, as a Senior DBA and Security Admint the Cloud makes little sense, except for extreme penny pinchers. The same low cost hardware that makes cloud hosting and computing as a service practical also make it very low cost to run your own fully controlled data centre if you are a major enterprise, such as government or major corporations.

  3. I regard this as belated recognition that we are at risk and have been at risk from lax foreign legal regimes.

    In fact, it’s worse: the US “CLOUD” act means that any data under the control of an American firm such as Google, Amazon or Microsoft is to be treated as US information, open to their security services and laws.

    • Kelly Manning says:

      Yup. A while back someone I knew had a comiseration party for everyone she know who was turning 60. Somebody there described how his work iPhone had been lifted from his shorts pocket on a crowded transit train car during a European tour.

      After telling his tale of woe to several people he bought another iPhone and restored his business data from the iCloud, probably using a backup server subject to the USA PATRIOT Act. Problem solved?

      His first thought was how would he operate his business without the device he used to run it. No explicit backups. I was the Senior Mainframe DB and Security Admin for the BC Ministry of Health, well aware of Federal PIPEDA legislation, and provincial PIPA and FOIPPA legislation.

      Where to start with what was wrong with taking a business device containing Personally Identifiable client data to another continent, losing control if it, and then restoring it from a USA accessible server.

      So I just left it alone without commenting.

      Despite all the fuss Apple made about no unlocking iPhones at the request of USA Law Enforcement they quickly go access to the decrypted data from a 3rd party. Unlocking a stolen iPhone does not seem to be a big deal. Enterprises such as GrayKey do that routinely, so criminals should be expected to do the same. The same tools that let you “unlock” an iPhone from using an Apple approved service provider can also be used by criminals to make a stolen iPhone useable after it is stolen.

      The fate of James Sabzali is a case in point cautionary tale about USA attempts to exert long arm enforcement of their laws and regulations in Canada and elsewhere. Under Canadian Law Sabzali could not refuse to sell water purification technology to Cuban hospitals. The USA’s long memory of the Cuban Missile Crisis led it to enforce their No Truck or Trade act against Sabzali for actions performed in Canada.

  4. Pingback: [AxisOfEasy] Nevermind Y2K, Here Comes “768K” Day

  5. Pingback: News of the Week; April 17, 2019 – Communications Law at Allard Hall