OPC Proposed Change Equal to Legislative Change Without Legislative Process
On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) announced it was looking to change their position on trans-border flow of personal information. The proposed change in position will impact not only cross-border data transfers between controllers and processors, but also other cross-border disclosures of personal information between organizations. We note the OPC’s use of “controller” and “processor” is a nod to the trend that the OPC is taking a position more in line with the GDPR.
Historically, cross-border flow of personal information to a processor acting solely for the benefit of the principal organization was not a disclosure, but deemed to be a use. This means that organizations need to notify individuals of their practices, but consent to this practice is not required. Currently, organizations are required to notify individuals that personal information may be processed outside of Canada, and that the laws of the jurisdiction in which the personal information was situate (which may be different than Canadian laws) would apply. In addition, organizations are required to ensure the processors secure the personal information in their control.
Under the proposed OPC interpretation, providing notice and ensuring proper safeguards will not be sufficient. Organizations will also need to obtain consent from individuals for such organizations to be able to process or store personal information outside of Canada.
The vast majority of clients we work with use a third party, which includes affiliates, in some form for processing personal information (cloud storage provider, SaaS hosting relationships, customer contact management, payment processing, etc.) and a good percentage or those processors and affiliates have some touch point outside of Canada. From a business perspective, the difference between providing notification to individuals versus obtaining the individuals’ consents is vast and will require a significant amount of resources to manage. It’s also not clear whether this will provide any greater level of security over the personal information at issue.
The form of consent (express [opt in] versus implied [opt out]) required depends on the sensitivity of the information at issue and the individual’s reasonable expectations in the circumstances. This analysis requires the organization to assess both the sensitivity of the personal information and reasonable expectations of the risk of harm to the individual. The OPC further provides that where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied. On first blush, this sounds logical, except that the interpretation of “sensitive information” and “risk of harm” we’ve seen from privacy commissioners across Canada would result, in almost all circumstances, in express consent being required.
In satisfying the “express consent” requirements set by the OPC’s office, businesses will need to allocate a fair amount of time and resources to creating and maintaining the appropriate consents as their practices evolve, and must be able to manage “opt outs”. Pursuant to the OPC’s “Consent Guidance” document published last year, for consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including instances when they are located in another country, and the associated risks.
Further, organizations must make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service. The OPC’s revised position also provides that individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders. It is not clear when a collection, use or disclosure of personal information is not necessary to provide the product of service and therefor it is unclear when an individual can force an organization to use different processes while still requesting a product or service.
If you are a business person, take a moment and think through the implications this change in position will have on your business. Whether one believes that organizations should or should not have to obtain consent (versus notify), let’s step back and consider what this means practically. Businesses have built their infrastructure and day-to-day practices around the premise that if they provide proper notice to individuals and ensure proper safeguards, they are ok. Businesses have spent a significant amount of time and money selecting and integrating processors (often referred to as service providers), including resources relating to procurement, due diligence, contract negotiations and implementation. Businesses with affiliates around the world often centralize processing for the purpose of efficiency.
Canadian privacy laws are built on general principles with a view to allowing flexibility and evolution. That approach has merit, but it results in the OPC “guidance documents” including prescriptive requirements being equivalent to legislative requirements. The change in interpretation is effectively a change in legislation without the legislative debate and scrutiny. It’s not clear that the proposed change in interpretation will result in better safety or security for individuals. It is certain, however, that this change in interpretation will cost businesses significant amounts of money, which could otherwise be spent on wages and research and development.
Prior to imposing these costs on businesses, there should be scrutiny and debate. The OPC has asked for comments on the proposed change, however, asking for comments without the mandatory debate and legislative oversight is largely without substance. If the result of a legislative process is that the proposed change in interpretation is deemed merited, businesses may not like the result but the legislative process played its intended role – a forum to try and ensure government actions do not unnecessarily or unfairly impose obligations on its constituents – obligations that have very real consequences on the Canadian economy.