Transborder Data Flow Consent Standard Is Reaffirmed

The Workplace of the Privateness Commissioner of Canada (OPC)’s report, Private Info Safety and Digital Paperwork Act (PIPEDA) Report of Findings #2019-001, issued April 9, 2019, into the Equifax hack, created controversy because the report recommended that the present legislation on the extent of consent crucial for Canadian organizations to have interaction in transborder processing of non-public knowledge had modified and that the OPC was now asserting {that a} new commonplace of categorical consent was required.

In para. 111 of the report, the OPC said “we acknowledge that in earlier steering our Workplace has characterised transfers for processing as a ‘use’ of non-public data relatively than a disclosure of non-public data. Our steering has additionally beforehand indicated that such transfers didn’t, in and of themselves, require consent.”

The OPC went on and beneficial in para. 112 of the report that “Equifax Canada and Equifax Inc. … Search legitimate, categorical consent from any present prospects for future disclosures of their data to Equifax Inc.”

The circumstances of that case had been that the operations of each Equifax entities had been extremely built-in and data flowed readily from Equifax Canada to the US guardian however with out formal agreements between the events and insufficient notification of Canadian prospects below the present legislation.

Within the OPC’s 2009 Tips for Processing Private Data Throughout Borders (the “2009 Tips”), the OPC set out two rules:

  1. Transborder (or cross-border) transfers for processing are topic to the accountability precept. “Precept 1 locations accountability on a company for safeguarding private data below its management. Precept 4.1.three of Schedule 1 of PIPEDA particularly acknowledges that private data could also be transferred to 3rd events for processing. It additionally requires organizations to make use of contractual or different means to ‘present a comparable degree of safety whereas the knowledge is being processed by the third social gathering.’”
  2. “‘Switch’ is a use by the group. It’s not to be confused with a disclosure.” Moreover, “[a]ssuming the knowledge is getting used for the aim it was initially collected, extra consent for the switch isn’t required.”[1]

The OPC report within the Equifax choice was a change in place that the OPC recommended “relies finally on our obligation to make sure that our insurance policies replicate an accurate interpretation of the present legislation. Through the Equifax investigation, it turned obvious that the place {that a} switch (i.e., when a accountable group transfers private data to a 3rd social gathering for processing) isn’t a “disclosure” is debatable and certain not right as a matter of legislation. In our view, a switch of non-public data between one group and one other clearly suits throughout the typically accepted definition of “disclosure”: «make identified, reveal» (Canadian Oxford English Dictionary).” [2]

On condition that Canada’s financial system is very built-in with that of different nations, and notably the US, this improvement gave rise to concern. Some considerations had been that it’s was not the operate of the OPC to make dramatic adjustments to the legislation. That’s parliament’s function and the legislative course of has the good thing about normally contemplating all sides of a difficulty earlier than a change is made.

In response to the considerations raised on this new interpretation of the legislation, the OPC launched a session on transborder knowledge flows below PIPEDA. The OPC famous that “Stakeholders have indicated that it might be helpful to supply extra detailed data with respect to the explanations which have led us to revisit our coverage place on this situation”. The OPC submitted a supplementary dialogue doc on June 11, 2019 to additional clarify the explanations for the change within the legislation.

Many business organizations and stakeholders turned engaged on this course of. The overwhelming majority of the submissions famous that there was no requirement within the legislation for consent for transborder knowledge flows[3], they famous that the current authorized regime on accountability was purposeful and the brand new interpretation was expensive and sophisticated to implement. Many famous that the brand new interpretation could be opposite to “Canada’s aim of growing a knowledge pushed digital financial system”.

The engagement within the evaluation of the session on transborder knowledge flows below PIPEDA concluded on September 23, 2019. The OPC “concluded that its pointers for processing private knowledge throughout borders will stay unchanged below the present legislation. The OPC will now focus its efforts on how a reformed legislation can finest defend Canadians’ privateness rights when their data is transferred between organizations.”

The OPC confirmed that “Whereas the OPC’s place on transfers for processing stays unchanged, we remind companies of the authorized requirement to be clear about private data dealing with practices. Organizations ought to advise prospects that their private data could also be despatched to a different jurisdiction for processing and that whereas the knowledge is in one other jurisdiction it could be accessed by the courts, legislation enforcement and nationwide safety authorities.”

The tip outcome confirms that the 2009 Tips stay the legislation. All organizations engaged in transborder knowledge flows are beneficial, nonetheless, to make use of the event to take a detailed take a look at their data dealing with practices and the adequacy of the preparations for processing of non-public data in order that they adequately adjust to the legislation.

________________

[1] See OPC “Supplementary dialogue doc – Session on transborder dataflows”, June 11, 2019.

[2] See OPC “Supplementary dialogue doc – Session on transborder dataflows”, June 11, 2019.

[3] See OPC, “Commissioner concludes session on transfers for processing”, September 23, 2019.

Transborder Data Flow Consent Standard Is Reaffirmed

Previous
Next

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.