Canada’s Privacy Commissioner, Daniel Therrien, recently announced his intention to obligate companies to obtain Canadians’ consent before an organization engaged in commercial activities may legally transfer their personal information across the border for processing, including to the United States. Canada’s Office of the Privacy Commissioner (OPC) released a consultation paper on April 9, 2019 communicating this proposed change of direction, and calling for stakeholders’ commentary by June 4, 2019 (April 9, 2019 OPC Consultation on Transborder Data Flows). It is unclear at present whether the anticipated consent requirement will be applied to transborder transfer for processing of employees’ personal information by employers, which until now has not explicitly been required.
This is a significant turnabout for Canada. Consent for such transfers is not explicitly required under Canada’s Personal Information Protection and Electronic Document Act, S.C. 2000, c.5 (Can.) (PIPEDA). Until now, the OPC did not require the consent of consumers or other “data subjects” for transborder transfers of personal information for processing. Instead, it applied an “accountability principle” that was satisfied if a Canadian-based entity informed data subjects of transborder transfers in its posted privacy policy and remained legally accountable for the protection of personal data sent abroad to a third party for processing. Principle 4.1.3 of schedule 1 of PIPEDA provides as follow: “An organization is responsible for personal information in its possession or custody including information that has been transferred to a third-party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
