On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) issued a new Consultation on transborder dataflows, recommending that organizations be required to obtain individuals’ consent — express or implied — for transfers of personal data outside of Canada. The OPC is accepting comments on the Consultation through June 4, 2019.
The Consultation is a significant departure from the OPC’s current interpretation of cross-border data transfer requirements under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The current, well-established cross-border requirements — which the OPS set out in its 2009 Guidelines on cross-border data transfers — allowed organizations to rely on the principle of accountability to protect personal data transferred outside of Canada.
The Consultation proposes requiring express or implied consent for cross-border data transfers, depending on the sensitivity of the information at issue and the reasonable expectations of the individual. The OPC describes this as a “risk of harm” analysis, with express consent required where there is “meaningful risk that a residual risk of harm will materialize and will be significant.”
To support its proposed change, the OPC has explained that the accountability principle merely regulates cross border data processing “in part,” and that “nothing in PIPEDA exempts data transfers … from consent requirements.” As a result, the OPC’s view is that the general requirement under PIPEDA — that organizations obtain consent for any collection, use or disclosure of personal data, unless an enumerated exception applies — similarly extends to cross border data transfers.
When requesting consent, organizations would need to provide individuals with “clear information” about disclosures to third parties, including recipients outside of Canada, and the associated risks of such disclosures. In addition, organizations would need to inform individuals of any alternative options that may be available to them if they choose not to consent. Organizations would not be required to provide an alternative option where the cross border transfer is “integral to the delivery of a service.”
While we are seeing a proliferation of attempts to regulate cross-border transfers of personal data, the reality remains that data flows seamlessly across borders. It is reasonable to require organizations to inform consumers of cross-border transfers as part of required privacy disclosures – including in privacy notices and policies. A consent requirement would exceed even the GDPR’s limitations on cross-border data transfers, and could be disruptive to US and Canadian businesses.