Transferring Personal Information Outside of Canada? Not so Fast, Privacy Commissioner Says

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal information in the course of commercial activity by private sector organizations operating in various jurisdictions in Canada, including organizations operating in Saskatchewan and Manitoba. PIPEDA also applies to organizations that operate in multiple jurisdictions, and where personal information moves across provincial or national borders.

PIPEDA sets out requirements for how organizations may collect personal information and what organizations can do with personal information, including in circumstances where that information is transferred to third parties (such as affiliates or service providers) for storage and processing.

Previously, the Privacy Commissioner of Canada (the “Commissioner”), who is responsible for overseeing PIPEDA, took the position that personal information can be transferred outside of Canada for storage and processing, provided that certain conditions are met – including, for example, that the information is protected with appropriate safeguards and that individuals are given appropriate notice that their information is stored in, and may be subject to, the laws of that other jurisdiction.

The Commissioner recently announced potential changes to this position that, if implemented, would require many organizations to review and change their existing practices.

In particular, the Commissioner is considering requiring organizations to:

  1. Obtain consent from individuals before their personal information is transferred outside of Canada (including for storage or processing by service providers).
  2. Inform individuals of options available to them if they do not wish to have their personal information transferred outside of Canada.
  3. Ensure that organizations maintain control of personal information transferred to a third party for processing.

This change in position appears to be the result of the Commissioner’s recent decision relating to a breach of personal information involving Equifax. In that decision, the Commissioner found that Equifax was in contravention of PIPEDA on a number of fronts, including that Equifax lacked appropriate safeguards and did not seek valid express consent from customers for Equifax to transfer their personal information to its affiliate in the United States.

Last month, the Commissioner began consultations regarding these proposed changes, and provided some useful background in a consultation document as well as a supplementary discussion document.

Since the outset of this consultation period, a number of stakeholders have expressed various concerns with these potential changes.

As a result, the Commissioner announced an extension of the deadline for the consultations to June 28, 2019. However, more recently, the Commissioner indicated that consultations regarding these changes will be suspended in response to the recent announcement by Innovation, Science and Economic Development Canada (ISED) of its plan to further modernize and amend PIPEDA.  

The Commissioner has confirmed that organizations are not expected to change their current practices at this time.

However, until further clarification is available from the Commissioner, it is important to keep in mind that the Commissioner could reach the same conclusion it reached in the Equifax decisions in similar circumstances involving the transfer of personal information outside of Canada, particularly with respect to sensitive information (such as financial information).

As such, in the meantime, organizations are well-advised to:

  • review their existing policies and procedures, and consider if revisions to align them with the potential change in position reflected in the Equifax decision are appropriate; and
  • watch for updates from ISED regarding proposed amendments to modernize PIPEDA.

We will be watching developments regarding the position of the Commissioner with respect to transborder data flows, and ISED’s modernization of PIPEDA, with interest. If you require more information regarding the impact of these developments on your organization or assistance with reviewing your existing policies and procedures, a member of our science and technology team would be pleased to assist you.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.