By Richard Stobbe

Here’s a familiar picture:  You are a Canadian business and you use a service provider outside of the country to process data. Let’s say this data includes personal information. This could be as simple as using Gmail for corporate email, or using Amazon Web Services (AWS) for data hosting, or hiring a UK company for CRM data processing services. 

Until now, the Federal Office of the Privacy Commissioner (OPC) has taken the position that data processing of this type is a “use” of personal information by the entity that collected the data for the purposes of the Personal Information Protection and Electronic Documents Act (PIPEDA).  Such use would require the consent of the individual for the initial collection, but would not require additional consent for the data processing by an out-of-country service provider, provided there was consent for that use at the time the information was first collected.  

The privacy laws of some provinces contain notification requirements in certain cases, though not express consent requirements, for the use of service providers outside of Canada.  For example, Alberta’s Personal Information Protection Act, Section 13.1, indicates that an organization that transfers personal information to a service provider outside Canada must notify the individual in question. 

The OPC’s guidance, dating from 2009, took a similar approach, allowing Canadian companies to address the cross-border data processing through notification to the individual.  In many cases, a company’s privacy policy might simply indicate in a general way that personal information may be processed in countries outside of Canada by foreign service providers. In the words of the commissioner in 2009:  “[a]ssuming the  information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”  As long as consumers were informed of transborder transfers of personal information, and the risk that local authorities will have access to information, the organization was meeting its obligations under PIPEDA. 

A recent consultation paper published by the OPC has signalled a potential change to that approach.  If the changes are adopted by the OPC, this will represent a significant shift in data-handling practices for many Canadian companies. 

Draft guidance from the OPC, issued April 9, 2019, indicates that recent high profile cross-border data breaches, such as the incident involving Equifax, have inspired a stricter consent-based approach.  Today, the OPC issued a supplementary discussion document to explain the reasons for the proposed changes. (See: Consultation on Transborder Dataflows)

Reversing 10 years of guidance on this issue, the OPC now explains that a transfer of personal information between one organization and another should be understood as a “disclosure” according to the common understanding of that term in privacy laws. 

If the draft guidelines are adopted by the OPC, any cross-border transfers of personal data to an outsourced service provider would be considered a “disclosure”, mandating a new consent, as opposed to a “use” which could be covered by the initial consent at the time of collection.  Depending on the circumstances, the type of disclosure and the type of information, this could require express consent, and it’s not clear how this would apply to existing transborder data-processing agreements, or whether additional detail would  be required for consent purposes, or if the specific names of the service providers would be required as part of the consent. This could significantly impact data-processing, e-commerce operations, and the consent practices of many Canadian businesses. 

Consultations are open until June 4, 2019. Please stay tuned for further updates on this issue and if you want to seek advice on your company’s privacy obligations, please contact us.

Calgary – 16:00 MST