Faced with a decades-old private-sector privacy law that is no longer fit for the purpose in the digital age, the Office of the Privacy Commissioner of Canada (OPC) has embarked on a dramatic reinterpretation of the law premised on incorporating new consent requirements. The strained interpretation arose on Tuesday when the OPC released a consultation paper signalling a major shift in its position on cross-border data transfers.
Canadian privacy law has long relied on an “accountability principle” to ensure that organizations transferring personal information across borders to third parties are ultimately responsible for safeguarding that information. The Canadian approach maintained that it did not matter where the personal information was stored or who was involved in its processing, since the ultimate responsibility lay with the first organization to collect the data.
In fact, the OPC’s January 2009 guidelines on cross-border data transfers explicitly stated that “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.” That guidance enabled Canadian companies to outsource data-processing activities to other jurisdictions so long as they used contractual provisions to guarantee appropriate safeguards.
The federal privacy commissioner seems ready to reverse that long-standing approach, stating that “a company that is disclosing personal information across a border, including for processing, must obtain consent.” It adds that “it is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.”
While the OPC position is a preliminary one – the office is accepting comments in a consultation until June 4 – there are distinct similarities with its attempt to add the right to be forgotten (the European privacy rule that allows individuals to request removal of otherwise lawful content about themselves from search results) into Canadian law. In that instance, despite the absence of a right-to-be-forgotten principle in the statute, the OPC simply ruled that it was reading in a right to de-index search results into PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act). The issue is currently being challenged before the courts.
In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform.
The OPC is careful to note that it believes its position is consistent with Canada’s international trade obligations, but the issue could be subject to challenge. The Comprehensive and Progressive Trade Agreement for Trans-Pacific Partnership (CPTPP), the major Asia-based trade agreement that Canada implemented last year, features a commitment to allow cross-border transfers of information by electronic means.
The treaty limits restrictions on the open-border principle for data transfers, stipulating that any limitations may not be arbitrary, discriminatory or a disguised restriction on trade. Moreover, any limits cannot be greater than those required to achieve a legitimate policy objective. The Canada-U.S.-Mexico Agreement contains similar language.
The imposition of consent requirements for cross-border data transfers could be regarded as a non-tariff barrier to trade that impose restrictions greater than those required to achieve the objective of privacy protection. The interpretation is particularly vulnerable given that PIPEDA has long been said to provide such protections without the need for this additional consent regime.
Regardless of the international trade implications, however, the OPC approach would have enormous implications for e-commerce and data flows, with many organizations forced to rethink well-established data practices and compliance policies. Indeed, companies thinking of servicing the Canadian market would be forced to consider whether they must limit data transfers, likely adding cost and complexity to digital operations.
As Canadians express mounting concerns about their privacy online, tougher enforcement measures and better safeguards may be needed. Yet those issues are more properly addressed by government policy within a national data strategy and privacy law reform, not an OPC guideline that if enacted is likely to spark an avalanche of legal challenges.