OPC Reaffirms 2009 Consent Standard for Cross-Border Data Processing
Canadian organizations that rely on transborder data flows can breathe a little easier after a recent announcement out of the Office of the Privacy Commissioner of Canada (“OPC”). On September 23, 2019, the OPC announced it will hold to its 2009 Guidelines for Processing Personal Data Across Borders (“2009 Guidelines”) after consulting with stakeholders. This decision comes after a short-lived but noteworthy shift in the OPC’s interpretation of a “transfer for processing” under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), flowing from the Equifax hack and the subsequent investigation.
In investigating the 2017 Equifax security breach, Commissioner David Therrien concluded that Equifax Inc and its Canadian subsidiary had failed to obtain the necessary consent from their Canadian consumers for transborder processing of personal data. His finding boiled down to whether a cross-border transfer of personal data to a third party was a “use” or a “disclosure” of information under PIPEDA. The OPC settled on the latter, which was a notable change in interpretation from the 2009 Guidelines.
The change unsettled stakeholders, as existing law had until-then identified these transfers as a “use” of information rather than a “disclosure” and did not require explicit consent for these types of transfers. Following its change in position, the OPC launched a consultation on April 9, 2019, in which organizations were encouraged to share their positions and opinions regarding, among other issues, the correct interpretation of “transfer for processing” under PIPEDA.
On September 7, 2017, Equifax Inc, announced a significant data breach, in which the personal information of over 143 million individuals was compromised. Out of this number, an estimated 19,000 Canadians were affected. The type of information that had been compromised included the names, social insurance numbers, addresses, and birthdates of Equifax customers. According to the OPC report, the information, if accessed together would put an individual at serious risk for identity theft.
The OPC launched a comprehensive investigation into Equifax Inc and its subsidiary, Equifax Canada Co (“Equifax Canada”). It focused on each corporations’ security infrastructure, accountability framework and the particular issue explored here, the consent procedures around the cross-border data transfers of personal information.
The investigation found that during transactions for director-to-consumer products and fraud alerts, Equifax Canada collects personal information from Canadian consumers. In order to fulfill these product orders, the personal information is then transferred to Equifax Inc in the United States, as the parent company plays a fundamental role in product delivery. By sending the personal information of consumers to Equifax Inc, known as a third party for these purposes, Equifax Canada was participating in transborder data processing. This type of transfer is regulated by PIPEDA, as the statute specifically recognizes that personal information may be transferred to third parties for processing.
One of the primary questions asked by Commissioner Therrien was whether Equifax Canada obtained adequate consent from Canadians for the collection and subsequent transfer of their personal information to Equifax Inc.
In the 2009 Guidelines, the OPC laid out the following key finding:
A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
In other words, until the collecting organization or the third party is using the personal information for purposes other than what it was originally collected for, no explicit consent is required. If the receiving organization wishes to expand its use of this information, it may only do with consent from the particular individuals. This consent standard, however, is premised on the OPC’s interpretation above, that a transfer of personal information for processing is a use of information and not a disclosure.
Contrasting 2009 Guidelines to Equifax Conclusion
Despite its 2009 Guidelines, the OPC investigation concluded that the transfer of personal information from Equifax Canada to Equifax Inc was in fact disclosures, rather than uses of personal information under the meaning of PIPEDA Sections 7(3) and 4.3. As a result, Equifax Inc and its Canadian subsidiary both fell short of obtaining adequate, express consent from their customers. While the OPC found that Equifax Canada was acting in good faith in not seeking express consent for these disclosures, OPC provided two key consent recommendations in paragraph 112:
a. Revise their communications to individuals purchasing or accessing direct-to-consumer products to seek valid express consent for any collection by, or disclosures to, Equifax Inc of personal information, including clearly explaining the nature and purpose of the collection by, and disclosure to, Equifax Inc in the US of Canadian personal information…
b. Seek valid, express consent from any current customers for future disclosures of their information to Equifax Inc.
OPC later explained that during the investigation it became apparent that the position that a transborder processing transfer is “not a ‘disclosure’ is debatable and likely not correct as a matter of law.” It went on to state that the transfer seen in Equifax would clearly fit within the definition of disclosure and to conclude differently would be an interpretation that is inconsistent with PIPEDA.
Post-Equifax Consultation & OPC Reversal
This shift in the OPC’s position caused significant concern for industry organizations and stakeholders. Organizations ranging from commercial enterprises such as Walmart Canada to non-profits like the Law School Admissions Council or World Vision Canada rely on this type transfer for data processing. These types of organizations, specifically non-profits, often depend on third parties for data processing and in many instances lack the capacity, resources, and expertise to manage such processing internally. Recognizing the potential adverse effects this interpretation would have on such parties , the OPC launched a consultation on transborder data flows under PIPEDA.
The OPC received 87 submissions, the vast majority of which raised concerns with the prospect of an express consent requirement. Most stakeholders took the view that the correct interpretation of PIPEDA did not require consent for these types of transfers and doing so “would create enormous challenges for their business processes.”
The Canadian Bar Association (“CBA”), specifically its Privacy and Access Law and Charities and Non-For-Profit Law Sections, submitted its own response to the consultation. In its submission, the CBA challenged OPC’s interpretation of PIPEDA, by claiming that it is “unsupported by accepted principles of statutory interpretation.” The CBA further argued that requiring consent would be unreasonable if the organization is meeting its accountability principles with respect to its relationship with the third party. In this vein, it explained that a transfer of personal information for processing is a form of agency, where the agent does not acquire the type of control or ownership that we would see in a situation of disclosure, as defined by PIPEDA. The CBA also took the position that the Equifax breach “presented unique facts, uncommon in the usual circumstances of transfer of personal information.”
While the CBA may have provided a comprehensive discussion when advocating for the 2009 interpretation, it still came to the same conclusion as the majority of respondents – that PIPEDA does not and should not require consent for transborder processing. This homogenous position between CBA and other stakeholders alike did not come as a surprise if one takes into consideration the reliance Canadian organizations have on cross-border data flows. The Canadian economy as a whole is highly integrated with and relies heavily on organizations, specifically parent companies, outside of its jurisdiction.
Following the consultations, the OPC changed its tune once again and, after applying what it called a “pragmatic approach”, it decided to maintain the previous interpretation of its 2009 Guidelines. The OPC went on to state that it will wait until possible legislative reform before operating under a new, reformed interpretation. It also took the opportunity to remind organizations to be transparent about their personal data handling practices – recalling that customers should be advised when their information is being sent to another jurisdiction.
It seems as though OPC made the right call in deferring its authority to the legislature. This path forward allows for a more comprehensive look at the current law surrounding transborder data processing, which is of particular importance since the stakes are high for corporations and non-profits operating in Canada. It will be interesting to see whether legislative reform will follow, and, if it does, what side of the pendulum the response will land. For now though, organizations can enjoy the status quo.
 Principle 4.1.3 of Schedule 1 of PIPEDA
 Clause 4.5 of PIPEDA