To date, the answer to this question has been “no.”
Rather, since 2009, it has been the position of the Federal Privacy Commissioner that organizations subject to The Personal Information Protection and Electronic Documents Act (“PIPEDA”) do not need to obtain additional consent for a cross-border transfer of personal information if it is being used or processed for the original purpose. Organizations are, however, obligated to give notice. The Office of the Privacy Commissioner (“OPC”) stated in January 2009 Guidelines that organizations must
“advise customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”
In a new consultation process, the OPC states that its “view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.”
A fundamental principle behind the 2009 “no consent required” position appeared to be the OPC’s position that a “transfer for processing is a "use" of the information; it is not a disclosure.” Decisions articulating this principle made sense. The new consultation paper appears to indicate a fundamental shift from this concept, as it specifically points to consent being required for the disclosure.
There does not appear to be any serious legal basis behind the change from the OPC’s view that processing is a use not requiring consent to being viewed as disclosure requiring consent. Indeed, the legal basis for the shift seems only to be that nothing in PIPEDA exempts data transfers from consent requirements and so therefore “as a matter of law” consent is required.
Processing has been a “use” not a disclosure for 10 years. Why the change?
It appears there are at least two driving forces behind the variation. First, there is now a trend developing with the OPC interpreting PIPEDA in a manner which aligns more closely with the individual rights afforded by the General Data Protection Regulation (“GDPR”). This may be driven by a craving to position Canada as best as possible with continued “adequacy” status under GDPR. The national and business interests in doing so are obvious. Second, there may also be a desire by the OPC to further advance individual rights and its ability to enforce transparency. Transparency is important for individual rights, however, it is not clear that will change. Essentially shifting from a notice approach to a consent requirement will be more onerous on organizations.
The real question to be resolved seems to be this: Is a cross-border data transfer for processing a use or a disclosure?
The answer may signify a significant change in Canadian privacy law.
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.