The Office of the Privacy Commissioner of Canada (the “OPC”) has recently launched a consultation on transborder data flows under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA is a federal law of Canada that regulates how individuals’ personal information should be collected, used, and disclosed in commercial transactions. It is restricted to provincial, interprovincial, and international commercial transactions and therefore does not apply to government activities, collection of information for journalistic, literary or artistic services, not-for-profit enterprises and charity groups, among others. Due to growing concerns regarding transfers of personal information beyond Canada’s borders, the OPC revisited its previous position and determined that the cross-border transfer of personal information to third parties for processing (a “Transfer”) may now be considered “disclosure”. Under the OPC’s previous position, a Transfer was not considered to be disclosure and, assuming the information was being used for the purpose it was originally collected, the transfer was considered a “use” of information such that additional consent for the Transfer was not required. Under the OPC’s new position, organizations that only have consent to collect and use personal information would now also need to obtain consent to disclose it in order to effect a Transfer. Consent for collection and use only may no longer sufficient. The OPC’s new position is an explicit attempt to safeguard personal information being sent abroad. The OPC is concerned that new internet-based technology, like cloud storage, could make it difficult to control who has access to individuals’ personal information. Consequently, the OPC wants to make sure individuals understand that consent to Transfers involves risks, insofar as the information may become excessively exposed to third parties, other jurisdictions, and their law enforcement agencies.
It is important to stress that organizations within the same group (such as parent companies’ subsidiaries abroad) are considered third parties and therefore the transferring organization must obtain consent to Transfer. The transferring organization remains accountable for the information and must guarantee that the third party who receives it follows the same measures of safeguard. In addition to obtaining consent, organizations must inform individuals that they have the option to either refuse or accept the Transfer of information abroad. Organizations must provide individuals with easily accessible choices regarding any disclosure that is not strictly necessary or provide a product or service. Conversely, if disclosure isn’t a necessary part of the service delivery, organizations are not required to provide individuals with options.
In sum, both Canadian and foreign organizations involved in cross-border transactions with Canada must be aware of the OPC’s new position on transborder data flows. If the OPC’s consultation is positive, organizations wishing to transfer personal information abroad will have to obtain individuals’ consent to collect, use, and disclose. Consent to collect and use only will no longer be enough for Transfers. Lastly, organizations should remember that if disclosure of personal information is not necessary to provide a service or product, they must provide individuals with other alternatives to consent.
This article is for informational purposes only and does not constitute legal advice. If you wish to discuss your issue with a lawyer, contact Martin today. 613-747-2459 ext.308, [email protected]