In an Announcement this week, the Office of the Privacy Commissioner of Canada (OPC) has put “on hold” any changes in approach for cross-border data flows of personal information, stating “its guidelines for processing personal data across borders will remain unchanged under the current law.”
What this means is the OPC does not interpret the Personal Information Protection and Electronic Documents Act (PIPEDA) as requiring consent for cross-border data flows, including the processing of personal information outside of Canada. As widely reported in the spring, the OPC indicated its view is that cross-border transfers of personal information require consent.
The OPC will continue to, and we anticipate will be more vigilant about, ensuring organizations provide transparency about transborder data flows, and take steps to ensure personal information is adequately protected in the hands of processors. Key considerations for organizations are:
- Transfers for processing are a "use" of information. It is not a disclosure requiring additional consent; assuming the information is being used for the purpose it was originally collected.
- The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
- Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
- Organizations should assess, and take steps to mitigate, the risks that could jeopardize the integrity, security and confidentiality of personal information transferred outside of Canada.
- Organizations need to make it plain to individuals that their information may be accessed, stored or processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.
Given that the OPC’s conclusion is dependent on the current law, we anticipate this issue will arise again. The OPC will likely be advocating for changes to the law that require consent for cross-border data flows, and the trend setter is the European General Data Protection Regulation (GDPR), which includes strict requirements for foreign data processing. To comply with the current interpretation, and to prepare, organizations should be addressing the transparency and privacy protection requirements for transfers of personal information outside of Canada.
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.