global network connection cross-borderCanada’s Privacy Commissioner, Daniel Therrien, recently announced his intention to obligate companies to obtain Canadians’ consent before an organization engaged in commercial activities may legally transfer their personal information across the border for processing, including to the United States. Canada’s Office of the Privacy Commissioner (OPC) released a consultation paper on April 9, 2019 communicating this proposed change of direction, and calling for stakeholders’ commentary by June 4, 2019 (April 9, 2019 OPC Consultation on Transborder Data Flows). It is unclear at present whether the anticipated consent requirement will be applied to transborder transfer for processing of employees’ personal information by employers, which until now has not explicitly been required.

This is a significant turnabout for Canada. Consent for such transfers is not explicitly required under Canada’s Personal Information Protection and Electronic Document Act, S.C. 2000, c.5 (Can.) (PIPEDA). Until now, the OPC did not require the consent of consumers or other “data subjects” for transborder transfers of personal information for processing. Instead, it applied an “accountability principle” that was satisfied if a Canadian-based entity informed data subjects of transborder transfers in its posted privacy policy and remained legally accountable for the protection of personal data sent abroad to a third party for processing. Principle 4.1.3 of schedule 1 of PIPEDA provides as follow: “An organization is responsible for personal information in its possession or custody including information that has been transferred to a third-party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”

Canada’s “accountability principle” approach to transborder transfers contrasts with that of the European Union as set forth in its General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 (GDPR). The GDPR restricts transfers of personal information to countries, like the United States, that do not meet its standards for enforcing data protection laws that provide “adequate protection” (GDPR at Chapter 5, Article 45). It requires compliance with enumerated “appropriate safeguards” (GDPR at Chapter 5, Articles 46-48) or, in lieu of such safeguards, that the transfer fit within a number of exceptions (“derogations”), including that “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” (GDPR at Chapter 5, Article 49).

In 2009, the OPC described how Canada’s approach differed from that of the European Union’s attention to the adequacy of data protection laws in the country to which personal information is transferred:

“In contrast to this state-to-state approach, Canada has, though PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing agreement … . PIPEDA does not distinguish between domestic and international transfers of data”

OPC 2009 Guidelines for Processing Personal Data Across Borders.

The OPC attributed its proposed shift in approach to require consent for such transfers to its findings from its recent investigation into the 2017 data breach of U.S.-based Equifax, which affected 143 million people worldwide, including 19,000 Canadians. The OPC’s report on its Equifax investigation—released to the public on the same day as its announcement of the proposed consent requirement—found that the “personal information of Canadians became caught up in the breach at US-based Equifax, Inc. because they had obtained products, such as credit monitoring or fraud alerts, from Equifax Canada—transactions that were processed by its parent company. Once Canadians’ information was in Equifax Inc.’s systems in the United States, critical gaps in its security program left the Canadian information inadequately protected.” April 9, 2019 OPC Report on the Equifax Investigation.

The OPC’s investigation found that Canadian customers of Equifax Canada were given the impression that they were dealing exclusively with the Canadian subsidiary, whose posted privacy policy did not include any reference to Equifax nor to the possibility that customers’ personal information would be transferred to its American parent for processing. The OPC found the transfer inconsistent with Equifax Canada’s obligations under PIPEDA to “obtain meaningful consent from individuals before disclosing their personal information to a third party . … Organizations must obtain express consent where individuals would not reasonably expect the transfer. This was the case here given Canadian customers interacted exclusively with Equifax Canada at the time and were not explicitly advised that their information would be processed in the United States. Express consent is also required where the information is sensitive, as is generally the case with financial information.” OPC April 9, 2019 Report on Equifax Investigation.

The OPC explained that, until now, it had not considered a transborder transfer for “processing”—which is how it characterized the Equifax transfers—to be a “disclosure” for which PIPEDA requires the data subject’s consent. “During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a ‘disclosure’ is debatable and likely not correct as a matter of law,” OPC explained. “In our view, a transfer of personal information between one organization and another clearly fits within the generally accepted definition of ‘disclosure.’” OPC April 23, 2019 Supplementary Discussion Document—Consultation on Transborder Dataflows. The OPC noted that its 2009 Guidelines for Processing Personal Data Across Borders had already advised organizations that accountability included providing notice of transborder transfers to consumers and “that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities,” ideally at the time the information is collected. OPC April 23, 2019 Supplementary Discussion Document.

The OPC’s proposed consent requirement is slated to be reflected in an amended version of its May 2018 guidance for Obtaining Meaningful Consent (Consent Guidance). These revisions likely will remove the Consent Guidance’s statement that transborder transfers for processing “is a use by the organization. It is not to be confused with a disclosure. Furthermore, ‘[a]ssuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.’” Consent Guidance. It is this position that the OPC proposes to amend. Nonetheless, the Consent Guidance provides useful guidance likely to survive amendment that “[i]ndividuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service—they must be given a choice.” Consent Guidance at Section 3. For a disclosure to be considered to be a valid condition of service, the Consent Guidance states that “it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. Organizations should be transparent and prepared to explain why any given collection, use or disclosure is a condition of service, particularly if it is not obvious. Otherwise, for all other collections, uses and disclosures, individuals must be given a choice, unless an exception to the general consent requirement applies.” The Consent Guidance also stated that “individuals have the right to withdraw consent, subject to legal or contractual restrictions). In its April 9 announcement of the proposed policy change, the OPC reiterated that PIPEDA’s choice principle requires that individuals be informed of any options available to them if they do not wish to have their personal information disclosed across borders, OPC stated that “[d]epending on the circumstances, a transfer for processing may well be integral to the delivery of a service and in such cases, organizations are not obligated to provide an alternative.” April 9, 2019 OPC Consultation on Transborder Data Flows.

“We know that there are advantages to transborder data flows, but individuals ought to and do, under the law, have a say in whether their personal information will be disclosed outside Canada,” said Commissioner Therrien. “Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.” April 9, 2019 OPC Press Release.

The OPC has not addressed whether the proposed consent requirement would apply to transfers of employees’ personal information. PIPEDA currently exempts employers from obtaining consent from employees whose personal information is transferred abroad in the regular course of employment. Section 7(2)(b.2) of PIPEDA (“Use without knowledge or consent”) provides an exception to the consent requirement if “the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced.” OPC’s website guidance on “PIPEDA Fair Information Principle 3—Consent” states that organizations may use employees’ personal information without the individual’s knowledge or consent only when “the use is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be used for such purposes.” PIPEDA Fair Information Principle 3—Consent, Section on “Exceptions to the Consent Principle.” It is to be noted that Section 7(2)(b.2) refers to “use” of employee personal information and, by the logic of the OPC’s restatement of policy, it may well be that a transborder transfer may be deemed a “disclosure” going forward.

It remains to be seen whether the OPC will finalize its intention to require consent for transborder transfers of personal information and, if so, the extent to which it adjusts these requirements in reaction to stakeholder comment due to be received by June 4th. Those comments may be expected to observe that the proposed requirements are not strictly provided for within the wording of PIPEDA. They may also assert that the consent requirement runs counter to its foreign trade obligations pursuant to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (to which Canada is a signatory along with 10 other Pacific Rim nations) and the US-Mexico-Canada Agreement (USMCA), signed in November 2018, both of which contain certain restrictions on transborder data flows. These comments may include queries as to the applicability of the consent requirement to transborder transfers of employees’ personal information.

If the OPC proposed consent requirement takes effect, it would require significant changes to the data privacy policies and procedures of Canadian companies, including Canadian offices and affiliates of American corporations. This re-engineering of processes should include audits of their outsourcing of processing to Canadian third parties to assure that they are not re-transferring the companies’ data outside Canada for processing. These challenges would be compounded if the OPC requires that retrospective consent be obtained from data subjects whose personal information already has been transferred outside Canada.

Patrick J. Burke is a partner with Phillips Nizer, where he heads their data technology & cybersecurity practice group. Anne-Sophie Hutteau-Hiltzer is a referendare in the firm’s data technology & cybersecurity, German and corporate & business law practice groups. She is admitted to practice law in France.