12 April 2019

Data Flows in Canada

The Office of the Privacy Commissioner of Canada (OPC) - historically less forward-looking that some of Canada's provincial commissioners but much ahead of the OAIC in Australia - is conducting a consultation on transborder dataflows. That consultation is interesting as the OPC moves forward through a regime in which interpretation by the Office and courts is as important as the statutes.

The OPC states that it
 is revisiting its policy position on transborder data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). This includes not only cross border data transfers between controllers and processors, but also other cross border disclosures of personal information between organizations.
The OPC is committed to consulting with stakeholders on changes to its policy positions. This document aims to explain how the OPC’s approach on cross border data flows, including transborder transfers for processing, has evolved and to solicit feedback from interested parties. ...
Under PIPEDA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. Naturally, other disclosures between organizations that are not in a controller/processor relationship, including cross border disclosures, also require consent.
For consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including instances when they are located in another country, and the associated risks. When determining the form of consent (express or implied), companies will need to consider the sensitivity of the information and individuals’ reasonable expectations. We believe individuals would generally expect to know whether and where their personal information may be transferred or otherwise disclosed to an organization outside Canada.
Organizations that have obtained consent to transfer an individual’s personal information across a border in the context of processing will generally remain accountable for the information following its transfer. As stated in PIPEDA’s accountability principle (4.1), the controller will still be required to use contractual or other means to provide a comparable level of protection while the information is being processed.
The OPC’s 2009 guidelines stated there are different approaches to protecting personal information that is being transferred for processing. The guidelines went on to suggest that “in contrast to (the European Union’s) state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy.”
While it is true that Canada does not have an adequacy regime and that PIPEDA in part regulates cross border data processing through the accountability principle, nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements. Therefore, as a matter of law, consent is required. Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.
Organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process. In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.
We have considered the implications of our position in the context of cross-border trade and the importance of information flows for the purpose of facilitating commerce. In our view, this position is consistent with Canada’s international trade obligations. ...
Stakeholders are encouraged to review the following key points which expand upon our position:
A company that is disclosing personal information across a border, including for processing, must obtain consent. Individuals must be given the opportunity to exercise their legal right to consent to disclosures across borders, regardless of whether these are transfers for processing or other types of disclosures. When information is disclosed between organizations, absent an exemption in PIPEDA, consent is required.
Under PIPEDA, the form of consent required depends on the sensitivity of the information at issue and the individual’s reasonable expectations in the circumstances. Underlying the contextual analysis of both sensitivity and reasonable expectations is the risk of harm to the individual. Where there is a meaningful risk that a residual risk of harm will materialize and will be significant, consent should be express, not implied.
It is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country. Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual.
Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders. As we state in our consent guidance, organizations must make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service. Depending on the circumstances, a transfer for processing may well be integral to the delivery of a service and in such cases, organizations are not obligated to provide an alternative. Nonetheless, by being provided with clear and adequate information about the nature, purpose and consequence of any disclosure of their personal information across borders, individuals will be able to make an informed decision about whether to consent to the disclosure and therefore do business with the organization.
When disclosing personal information to a third party for processing, a company does not relinquish control of the information. That being said, business relationships can be very complex and determining which organization has personal information “under its control” needs to be assessed on a case-by-case basis, and informed by factors such as relevant contractual arrangements, commercial realities, as well as evolving business models and shifting roles. For instance, if an organization that is a processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of another organization and is thereby acting as an organization “in control” of the information.
An organization that processes personal information on behalf of another organization may still have obligations under the Act in respect of the personal information in its possession or custody, as an organization that collects, uses or discloses personal information in the course of commercial activities.
The OPC contextualises the consultation by explaining that the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to a third party, including a third party operating outside of Canada, for processing.
As the legislation itself states, PIPEDA is intended to "support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances?" This acknowledges that proper protection of personal information both facilitates and promotes commerce by building consumer confidence. Today's globally interdependent economy relies on international flows of information. These cross-border transfers do raise some legitimate concerns about where personal information is going as well as what happens to it while in transit and after it arrives at some foreign destination. Consumer confidence will be enhanced, and trust will be fostered, if consumers know that transfers of their personal information are governed by clear and transparent rules. There are different approaches to protecting personal information that is being transferred for processing. European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information. 
In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy. PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organizations. T 
he key is Principle 1 of the CSA Model Code for the Protection of Personal Information, which forms Schedule 1 of PIPEDA. 
Principle 1 addresses the balance between the protection of personal information of individuals and the business necessity of transferring personal information for various reasons, including the availability of service providers, efficiency and economy. 
Principle 1 places responsibility on an organization for protecting personal information under its control. Principle 4.1.3 of Schedule 1 of PIPEDA specifically recognizes that personal information may be transferred to third parties for processing. It also requires organizations to use contractual or other means to "provide a comparable level of protection while the information is being processed by the third party." 
Principle 1 states: "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."  
What Do These Terms in Principle 1 Mean? 
Transfer "Transfer" is a use by the organization. It is not to be confused with a disclosure. When an organization transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. A simple example is the transferring of personal information for the purpose of processing payments to customers. Or to use another example, an internet service provider may transfer personal information to a third party to ensure that technical support is available on a 24/7 basis. Increasingly, organizations outsource processes to third parties. In many cases, this involves the transfer of personal information. In the context of this document, when we refer to outsourcing, we are referring specifically to outsourcing that involves personal information. PIPEDA does not distinguish between domestic and international transfers of data. 
Processing "Processing" is interpreted to include any use of the information by the third party processor for a purpose for which the transferring organization can use it. 
Comparable Level of Protection "Comparable level of protection" means that the third party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board but it does mean that they should be generally equivalent. 
What Must Organizations Do? 
As the principle suggests, the primary means by which an organization may protect personal information that is sent to a third party for processing is through a contract. Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. 
The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. It should also have the right to audit and inspect how the third party handles and stores personal information, and exercise the right to audit and inspect when warranted. 
The OPC recognizes the complexity of the electronic world and understands that it is often impossible for an organization to know precisely where information is flowing while in transit. But that being said, the law is clear on where accountability lies and organizations must in their own best interests, as well as those of their customers, do what they can to protect the information. 
Why Comply? Your customers expect you to be transparent about your practices: they will ask. These are best practices: following them may give you a competitive advantage. The law requires you to protect personal information while it is in the hands of a third party processor: failure to comply could result in complaints and legal action. What the organization cannot do through contract - or indeed by any other means - is to override the laws of a foreign jurisdiction. So, what can an organization do to fulfill its obligations under Principle 4.1.3 of Schedule 1 of PIPEDA when it comes to transfers to foreign jurisdictions with respect to the issue of access to the personal information by foreign courts, law enforcement and national security authorities? 
In an investigation into a complaint involving outsourcing to a U.S. firm by CIBC Visa, the OPC found CIBC to be in compliance with PIPEDA. The OPC relied on the Office of the Office of the Superintendent of Financial Institutions' guidelines for federally regulated financial institutions. Those guidelines advise organizations to pay particular attention to the legal requirements of the jurisdiction in which the third party processor operates, as well the "potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program." While these guidelines set a high standard for the protection of sensitive financial information by financial institutions, other organizations transferring sensitive personal information would also be well-advised to take note of them. We assume that any organization looking at outsourcing to another jurisdiction will take a number of factors into account – for example, potential cost savings, the ability to provide better customer service, the availability of specialized expertise outside the company and other practical considerations. 
In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction. Organizations need to be diligent in all their dealings with foreign third party processors. What Should Individuals Expect? Individuals should expect that their personal information is protected, regardless of where it's processed. Organizations transferring personal information to third parties are ultimately responsible for safeguarding that information. Individuals should expect transparency on the part of organizations when it comes to transferring to foreign jurisdictions. ... 
 Summary of Key Findings 
The OPC has made a number of findings related to cross-border transfers of personal information in its complaint investigations over the past several years:
  • PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. 
  • PIPEDA does establish rules governing transfers for processing. A transfer for processing is a "use" of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required. 
  • The transferring organization is accountable for the information in the hands of the organization to which it has been transferred. 
  • Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract. 
  • No contract can override the criminal, national security or any other laws of the country to which the information has been transferred. 
  • It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada. 
  • Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.