On August 5, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP responded to the Office of the Privacy Commissioner of Canada’s (“OPC”) reframed consultation on transfers for processing. The reframed consultation replaced a previously suspended OPC consultation dealing with the same topic to which CIPL had also responded.
The reframed consultation puts forward the OPC’s short- and long-term views on how transfers of personal information outside of Canada should be handled. In the short term, and under the current drafting of PIPEDA, the OPC maintains that individuals should be asked for consent when their personal information will be transferred to foreign jurisdictions. In the long term, and under a revised data protection law in Canada, the OPC believes that transfers of personal information across borders should be protected through an accountability model backed up by appropriate enforcement authority.
CIPL agrees with the OPC’s long-term view and believes that accountability for transferred data is both viable and preferable for the optimal functioning of the modern digital economy and protection of personal information. The accountability-based approach has served Canada well over the past decade and CIPL believes that with appropriate enhancement, fine-tuning and enforcement, accountability will continue to be the best model to ensure responsible flows of personal information outside of Canada and protect individuals.
With respect to the OPC’s short-term view, CIPL remains opposed to the OPC’s proposed policy change requiring consent for transfers for the following reasons:
- There is no mandate under PIPEDA to require consent for transfers, whether they be domestic or cross-border (if there were, a public consultation on that point would not be warranted);
- Transparency and consent are two distinct elements and any issues surrounding a lack of transparency should be addressed through separate means, rather than through requiring consent (transparency with respect to transborder data flows is already required under the 2009 OPC guidelines for processing personal data across borders);
- Requiring consent will not add any additional privacy protections to individuals;
- Any existing problems to the current approach could be addressed by clarifying organizational accountability and ensuring proper enforcement of this approach;
- Requiring explicit consent would be burdensome both for individuals and businesses, confuse individuals and reduce privacy protections;
- The revised OPC approach would be an outlier among transfer regimes globally (the GDPR enables information transfers without relying on individual consent, save in very narrow circumstances, and requiring consent is inconsistent with the APEC Privacy Framework and the APEC Cross-Border Privacy Rules);
- Requiring consent is also inconsistent with the OECD Recommendation of the Council on Regulatory Policy and Governance concerning Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data; and
- Requiring consent would undermine Canada’s commitments in relevant trade agreements such as the United States–Mexico–Canada Agreement, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the EU-Canada Comprehensive Economic and Trade Agreement.
To read more about the recommendations detailed above, please view the full paper.