On April 23, 2019, the Office of the Privacy Commissioner of Canada (OPC) released a supplementary discussion document providing further explanation as to why the OPC is revisiting its policy position on transborder dataflows.
Earlier this month, the OPC launched a consultation on transborder dataflows under the Personal Information Protection and Electronic Documents Act (PIPEDA), as previously reported by the E-TIPS® Newsletter here. The OPC is proposing that all transfers of personal information between organizations, including service providers for data processing, constitute a “disclosure” and require the organization to obtain consent.
The supplementary discussion document states that the OPC’s consultation was launched in response to the OPC’s recent findings in the Equifax investigation. In 2017, the OPC launched an official investigation into the Equifax global data breach (as previously reported by the E-TIPS® Newsletter here). On April 9, 2019, the OPC finally released its report of findings into the Equifax investigation, in which the OPC concluded that Equifax “fell far short of their privacy obligations to Canadians.”
The OPC reports that several of the complainants were surprised to learn that their personal information was transferred to the US. Equifax’s Canadian customers interacted exclusively with Equifax Canada and were not explicitly advised that their information would be processed in the US. According to the OPC, organizations must obtain express consent where individuals would not reasonably expect the transfer.
The OPC states that the Equifax investigation highlights that a transfer of personal information between one organization and another clearly fits within the dictionary definition of “disclosure”, and that the OPC’s previous position on transborder dataflows, “is likely not correct as a matter of law.”
Summary By: Michelle Noonan