On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) announced that it is revisiting its policy position on transborder dataflows under the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC’s new position would require that organizations obtain consent when transferring personal information to service providers for data processing.
PIPEDA requires consent for the collection, use or disclosure of personal information, subject to a limited set of statutory exceptions. The OPC’s previous guidelines considered transfers of information for data processing to be a “use” rather than a “disclosure” of the information. Therefore, organizations were not required to obtain consent in order to transfer personal information to a third party for processing. However, the OPC is now reversing its position and proposing that all transfers of personal information between organizations, including to service providers for data processing require consent since these transfers involve the “disclosure” of personal information from one organization to another. The proposal seems to specifically target cross-border transfers.
Not only may this proposed change conflict with existing provincial legislation, it will have major implications for organizations who use third party processors and will, for most companies, require additional consents to be obtained.
The OPC intends to issue further guidance on the proposed policy at a later date. The proposed policy is open for consultation until June 4, 2019. Feedback may be sent in the form of an email, Word or PDF document to OPC-CPVPconsult2@priv.gc.ca.
For more information, please see the OPC’s website.
Summary By: Michelle Noonan