The Office of the Privacy Commissioner of Canada (OPC) is proposing a fundamental change to circumstances under which data may be transferred to service providers, and has a announced a consultation on transborder dataflows.
Previously, in its 2009 guidelines, the OPC stated a transfer to a service provider – where contractual controls appropriately limited use and required protection of personal information – was not a “disclosure,” but a “use” of data. As such, notice of any transfers – including cross-border transfers – was sufficient.
The new position is that any transfer from one organization to another constitutes a “disclosure.” This includes transfers to service providers. Going forward, any transfer to a third party – irrespective of contractual restrictions/requirements – will be subject to the consent of the individual. The position indicates the type of consent will be determined based on the sensitivity of the data involved, and where – geographically – the data is being transferred.
“nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements. Therefore, as a matter of law, consent is required. Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.”
Although the updated proposed guidance states consent is required for all service provider transfers, it focuses primarily on cross-border transfers. The OPC stresses the importance of informing individuals of any options available to them if they do not wish to have their personal information “disclosed” across borders.
The updated proposed guidance stops short of a “data localization” requirement. The OPC indicates that companies cannot be forced to offer services exclusively on Canadian infrastructure. However, individuals must be given the chance to decline to accept services that involve data processing outside Canada. In short, a take-it-or-leave-it option appears to remain valid.
“Depending on the circumstances, a transfer for processing may well be integral to the delivery of a service and in such cases, organizations are not obligated to provide an alternative.”
Finally, the updated proposed guidance reminds Data Controllers they remain accountable for any information transferred (“disclosed”) to service providers, and warns that strict measures must in place to ensure data transferred remains under the control of the Data Controller.
Comments on the consultation are due 4 Jun 2019.
jbho: This is a monumental shift, and one that could have huge impacts on companies that process Canadian data. The change appears to be rooted in the recent Equifax decision.
Key elements from the OPC’s Equifax action include allegations that:
- Equifax Canada failed to exert sufficient control over Equifax, Inc. (US parent)
- Equifax, Inc. controlled the processing infrastructure, and failed to segregate US from Canadian Data
- Equifax, Inc. set security polices without Canadian involvement
- Equifax Canada should have known:
- the level of security implemented by Equifax, Inc. was insufficient to protect “sensitive data”
- the practices of Equifax, Inc. were inconsistent with claimed certifications (e.g., ISO 27001, PCI-DSS)
- sensitive information was improperly stored on a ‘file share’
- Equifax Canada had no contracts in place with Equifax, Inc.
- no clear framework to enforce Canadian law
- no monitoring for PIPEDA compliance
- Equifax Canada failed to ensure Canadian data was deleted when it was no longer needed
- “record owners” could not be idenitified
- The customer portal provided by Equifax, Inc. mislead consumers:
- presented as a Canadian site with a .ca address
- linked to Canada only policies/terms
- represented contracts were in place with services provides to protect data, despite the fact there was no contract in place with Equifax, Inc.
- failed to inform individuals that personal information was being collected by or disclosed to Equifax, Inc.
The OPC also claimed that Equifax Canada was “unable or unwilling to provide clear and timely explanations to our office about basic accountability matters.” The last section of the updated proposed guidance appears to be a result of the alleged lack of oversight Equifax Canada had over Equifax, Inc.
As a result of the above, the OPC has required Equifax Canada obtain express consent from all current customers, and express consent from future customers, before transferring data to Equifax, Inc. Additionally, Equifax Canada has agreed to provide Canadian authorities with third-party security audits every two years for the next six years.
Finally, as part of this consultation, changes will also be made to the OPC’s Guidelines For Obtaining Meaningful Consent. I imagine the changes will focus on transfers, and the level of consent will be determined not only by the sensitivity of the data, but how much control a Data Controller can/does exert over the receiving entity.
I encourage everyone to voice there concerns during this consultation.
Great job John.