Consultation on transfers for processing – Reframed discussion document

Purpose

The purpose of this paper is to reframe the consultation announced on April 9, 2019 on the issue of transfers for processing, including transborder transfers. The OPC now invites stakeholder views both on how the current law should be interpreted and applied in these contexts, and on how a future law, which may follow the publication by the federal government of its Digital Charter on May 21, should provide effective privacy protection in the context of transfers for processing.

For ease of reading, we have consolidated our original consultation documents and questions into this new, standalone discussion document. The questions we previously posed with respect to the current law remain the same, and we have added additional questions related to how a future law could address transborder data flows to effectively protect privacy.

Background

In its Report of Findings in the Equifax investigation, published April 9, 2019, the OPC found, on the facts of the case, that consent was required under the current law for the transfer of personal information from Equifax Canada for processing by its US affiliate, Equifax Inc. This was in response to complaints by individuals who obtained Equifax Canada products or services who were surprised that their breached personal information was located in the United States.

Recognizing that this interpretation was not the interpretation previously given by the OPC in these matters, and that the application of this interpretation to organizations beyond Equifax would have an important impact on business practices, we announced a consultation on how the current law should be interpreted and applied to organizations generally, with a view to possibly amending relevant guidelines.  We also announced that during this re-examination period and until the conclusion of the consultation, we did not expect organizations to change their practices (as a contrary expectation would defeat the purpose of the consultation). We acknowledge that organizations are now therefore in a period of some uncertainty where the OPC has announced its intention to amend its guidelines, but the guidelines have not changed and any potential changes will of course fully consider views expressed during the consultation.

A new factor of uncertainty has surfaced in May when the government announced its Digital Charter and published a related white paper entitled Strengthening Privacy for the Digital Age, which includes considerations for amending PIPEDA. While this paper does not define specific amendments for transfers for processing, including transborder transfers, it suggests options and considerations,   notably “reducing reliance on consent for common practices or trust environments” and “requiring organizations to demonstrate their accountability". As an Agent of Parliament, we intend to make recommendations on how a new law should effectively protect privacy in the context of transfers for processing. We are therefore extending the purpose of our consultation and seek stakeholder views on what could be desirable recommendations.

Our interpretation of the current law and any amended guidelines we may publish may be short lived if the government, as it appears likely, moves to amend PIPEDA in relation to transborder data flows. However, because legislative change could take years, we must continue our re-examination of how the current law should be applied. We also heard that stakeholders have expectations to be heard after they have invested time and resources in preparing submissions on the questions we posed in April. We welcome these submissions, and will consider them both in relation to possible new guidelines and in the context of investigative findings we will be required to make under the current law. Ultimately, these findings must of course be made on the basis of the facts of individual complaints and after consideration of any submissions by the parties.

How to effectively protect privacy in the longer term (PIPEDA amendments)

The OPC's long term goal is to ensure effective privacy protection in the context of transborder data flows and transfers for processing, accepting that transborder flows are the subject of international trade agreements and that both domestic and international transfers bring significant benefits to individuals and organizations.

Accountability is an important privacy safeguard in the context of transfers. Principle 4.1.3 of PIPEDA currently provides that organizations "shall use contractual or other means to provide a comparable level of protection" when personal information is being processed by a third party. However, as we have seen in Equifax, PIPEDA's current formulation of the accountability principle is not always effective in protecting privacy. In its recent white paper, the government seems to suggest that stronger accountability may be part of the solution.

In that vein, we have suggested that PIPEDA be amended to require demonstrable accountability, including an authority for the OPC to proactively inspect the practices of organizations to ensure they truly are accountable. Other data protection authorities around the world, including in the UK, a common law jurisdiction, have this authority. Currently, under PIPEDA's complaints based model, the OPC rarely has occasion to examine contractual measures developed by organizations to give effect to Principle 4.1.3. This model, essentially one of self-regulation, seems insufficient, in an age of complex technologies, data flows and business models, to give individuals the assurance and trust they need that their privacy will continue to be protected when their personal information is transferred for processing. Proactive review by an independent regulator may help provide that assurance.

More generally, we firmly believe the government has an obligation to protect the privacy of its citizens through the adoption of effective privacy laws. In the context of transborder data flows, this has led several countries (including members of the European Union, as well as Japan, Malaysia, Brazil, Colombia, Morocco and Tunisia) to adopt adequacy regimes, whereby the personal information of citizens protected by national laws may only be transferred outside the country, generally, where the receiving country has laws that were found to provide an adequate level of protection. Transfers to countries whose laws were not found adequate are also possible under other measures, such as standard contractual clauses approved by a public authority, usually domestic regulators. In Canada, the adoption of an adequacy regime may be too fundamental a change to consider; in addition, the efficacy of such a regime is not universally recognized. In our view, adopting a regime of standard contractual clauses, as described, should seriously be considered as it would again add a level of review by an independent public authority.

As the OPC stated in its 2009 guidelines, no contract can override the laws of another jurisdiction. Contractual arrangements made under Principle 4.1.3 of PIPEDA therefore offer limited protection against a foreign law that is inconsistent with their provisions. This can create significant privacy risks, for instance that information about the exercise of legal activities by persons in Canada could potentially be used against them, particularly where such activities are not legal or do not enjoy equal protection as in Canada. The legal purchase and use of cannabis obviously comes to mind but there may be other relevant scenarios, such as donations to religious or political causes. How should the Government of Canada fulfill its responsibility to protect its citizens in these circumstances?  One way may be to require organizations to seek meaningful consent when a transfer of personal information entails such risks. We would be interested to hear other effective solutions to this likely rare but significant problem for the exercise of rights.

To be clear, we would not recommend that consent be required in the longer term in the context of data transfers for processing, if other effective means are found to protect the privacy rights of individuals.  But in situations where neither contractual clauses nor other means are effective, consent may be required.

Transfers for processing under the current law

Similar considerations animate various legal and policy regimes governing transborder data flows.  For instance, paragraph 1 of the APEC Cross-Border Privacy Rules System says the APEC Privacy Framework upon which the Rules are based is "designed to ensure the continued free flow of personal information across borders while establishing meaningful protection for privacy and security of personal information."

However, the interpretation of the existing federal legal regime must of course be based on the text adopted by Parliament, read in its entire context and in its grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.^{Footnote 1} In Equifax, the OPC applied a different interpretation to that which had been previously given, at the end of what is by law a confidential process involving complainants and the respondent organization. We did not reach that result lightly, but ultimately concluded that the new interpretation was more consistent with the text of PIPEDA. Before deciding whether to maintain that interpretation to all organizations, we now want to hear from all stakeholders.

As we explained in our April 23 supplementary discussion document, our intended change in position is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law.

During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a “disclosure” is debatable and likely not correct as a matter of law. In our view, a transfer of personal information between one organization and another clearly fits within the grammatical and ordinary sense of “disclosure”: « make known, reveal » (Canadian Oxford English Dictionary).^{Footnote 2}  This is also the meaning of the term “disclosure” in the Privacy Act, the other principal law of the Parliament of Canada in relation to the protection of personal information.^{Footnote 3} In addition, a number of provincial statutes in Canada, deemed substantially similar to PIPEDA, either consider transfers for processing as disclosures,^{Footnote 4} or adopt specific rules for these activities and, notably, explicitly exempt these activities from a consent requirement.^{Footnote 5} PIPEDA has no such explicit exception.

We have seen comments to the effect that “disclosures” must be distinguished from “transfers” under PIPEDA because when an organization discloses information, it must assure itself that it has the right to disclose, and once that is fulfilled and the disclosure has taken place securely, its responsibility is at an end.^{Footnote 6} The term “disclosure” would therefore be incompatible with a continuing accountability. This is an interesting interpretation but it is certainly not apparent from the explicit words of the Act. If Parliament intended consent not to apply, would it not, as several provincial legislatures have done, exempt processing situations from the consent requirement? That said, we are interested in reading submissions that would further explain this interpretation and how it fits harmoniously with the scheme and object of PIPEDA.

One obstacle to that interpretation may be the structure of PIPEDA, notably the fact that accountability and consent are separate principles, along with others, and that no one principle excludes the application of the others. On what legal basis, derived from the text of PIPEDA, could the OPC rule, on the one hand, that accountability applies to the exclusion of consent in processing situations, while maintaining the obviously desirable interpretation that no one principle excludes the application of the others?

That being said, as noted in our April 23 supplementary discussion document, the 2009 Guidelines already advised organizations that they must be transparent with respect to transborder transfers: "Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.” The 2009 Guidelines also note that this notice should ideally be provided at the time the information is collected.

The change in position by the OPC would require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers. We are open to views on how (implied or express consent, content of the information upon which consent would be sought) this might be achieved: see Question 6 below.

Questions for Stakeholders (Longer term – Future law)

1. How should a future law effectively protect privacy in the context of transborder data flows and transfers for processing?
2. Is it sufficient to rely on contractual or other means, developed by organizations and reviewed only upon complaint to the OPC, to provide a comparable level of protection? Or should a future law require demonstrable accountability and give a public authority, such as the OPC, additional powers to approve standard contractual clauses before they are implemented and, once they are adopted, proactively review their implementation to ensure a comparable level of protection?
3. How should a future law effectively protect privacy where contractual measures are unable to provide that protection?

Questions for Stakeholders (Shorter term – Current law)

4. In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
5. Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
6. What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
   1. In what circumstances should consent be implicit or explicit?
   2. What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
   3. Should the notice to the affected person name the third parties?
   4. Should the notice contain other pieces of information?
7. Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
8. If the elements identified in question 6(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
9. What elements should be included in obtaining consent for transfers for processing that are not transborder?
10. Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 6(b) must be disclosed as part of the openness principle?
11. Any other comments or feedback you think may be helpful.

Note that, for historical reference, the following documents related to the consultation remain on the OPC website, however, they have been archived to avoid any confusion.

• Consultation on transborder dataflows
• Supplementary discussion document – Consultation on transborder dataflows

Feedback criteria and procedures

1. Please send your response to OPC-CPVPconsult2@priv.gc.ca by August 6, 2019 (updated).
2. Your feedback may be sent in the form of an email, Word or pdf document.
3. Please indicate your name, contact information and category which best represents your perspective (e.g. individual, organization, academic, advocacy group, information technologist, educator, etc.)
4. Any comments that violate Canadian law or violate our comment policy will not be considered within scope of this call for feedback and will either be deleted or dealt with in accordance with our legal authorities under the Privacy Act.

A confirmation email will be sent if your email address has been provided in accordance with the terms above.

Please note that the OPC is not providing funding for any feedback related to this call for comment.

Your feedback and privacy

Your feedback will not be posted on the OPC website; however an overall summary of comments may be posted on the OPC’s website. If you post your feedback online, please advise us and provide us with a link. If you are submitting previously published works as part of your feedback, please include appropriate references and links.

The OPC is subject to the Access to Information Act and the Privacy Act. The Access to Information Act provides a public right of access to government records. The Privacy Act provides individuals with a right of access to their own personal information and protects that information from unauthorized disclosure. Some of the information you provide to us in this process may be accessible under the Access to Information Act; this does not include personal information as defined in the Privacy Act.

If you choose to participate in this consultation, the personal information that you provide directly to the OPC is included in Personal Information Bank PSU 938 Outreach Activities. Please also see the OPC’s Privacy Policy, Terms and conditions, and comment policy for how we handle your information. The personal information you provide will be used and may be disclosed for the purpose for which the information was obtained or compiled by the OPC, or for a use consistent with that purpose.

Feedback will not be treated as a privacy complaint under the Privacy Act or PIPEDA. For further information on filing complaints under either Act, please see File a formal privacy complaint.

Contact us

If you have any questions about this consultation, please direct them to OPC-CPVPconsult2@priv.gc.ca.

If you have a question unrelated to this call for feedback, please use our Online Information Request form or contact our Information Centre.