May 6, 2019
Note to Canadian NPC Clients: Our data storage for you, for both NPC DataGuard and Office 365, are in Canada. This Alert will only be a concern to you if you employ other applications or processes that may involve the transborder flow of information.
What's the issue?
In an April 9 decision regarding the Equifax data breach, the Office of the Privacy Commissioner of Canada (OPC) took a significant departure from their previous position regarding the storage or processing of Canadian's personal information outside of Canada. This activity is governed by the Personal Information Protection and Electronics Document Act (PIPEDA). PIPEDA applies to almost all Canadian businesses, and individuals acting as a business. Alberta, British Columbia and Quebec have provincial legislation that is substantially similar to PIPEDA, that is administrated and enforced provincially.
The OPC's previous position on cross-border data transfers was that consent from an individual whose personal information was collected was not required. Transfers of data across borders for the purposes of processing or storage, whether to a cloud service or affiliated company, were not considered "disclosure" of the data to the storing or processing party, but rather "use" of the personal information by the business that collected it. While liability for the data remained with the entity that collected the data, the OPC was largely indifferent to where it was stored or processed. The OPC maintained that the principles of PIPEDA still applied, which, among others, include accountability of the collected data and transparency about the use, processing, etc. Transparency to individuals as to what was happening with the collected data was accomplished, sometimes, with simple policies posted on a website or text in a terms and conditions document. This created what is generally referred to as "implied consent."
The OPC has now stated that its previous position was "likely not correct as a matter of law" and is now saying that all transborder transfers of personal information require "meaningful consent" from the individual, sometimes referred to as "express consent." This level of consent is described in PIPEDA and requires an entity to ensure the level of consent is commensurate with the risk of harm to the individual were it breached. In most cases express consent is a significant undertaking, a dynamic and ongoing process between the individual and the collecting organization.
It requires the individual to be informed in detail of numerous facts and factors related to the information collected and all of the process around it, including why it was collected, what it will be used for, who it will be disclosed to, levels of protection, the user's ability to control and recall it, among others. The OPC is taking the position that individuals have a right to know where their personal information is, how it is safeguarded, and when it is subject to the legal regime of another country.
This issue has come about in part as a result of some Canadians complaining to the OPC that they only learned that the personal information they submitted to Equifax Canada was sent to the U.S. for processing and storage as a result of notification it was breached.
While the OPC has stated that this is their new position, they are conducting a Consultation on Transborder Dataflows inviting interested parties to ask questions and offer feedback. The Consultation period closes June 4, 2019. It is our belief, based on previous history, while some adjustment to their position may come as a result of the Consultation, as it stands today it is likely this new, substantially higher standard of care and process requirement for any organization collecting Personally Identifiable Information will remain.
We believe this change in PIPEDA's application will have an extensive impact on the various cloud, data storage, and application services Canadian businesses use to run their businesses. As an example, for a financial services professional, using a data backup service or CRM provider from the U.S. that does not have servers in Canada will require a detailed, annual, signed consent from each client, and ongoing management of the process that is well in excess of what is required today.
What should I do?
We will monitor this issue and send a subsequent alert on any further material developments before or as a result of the Consultation. Businesses and professionals in Canada that collect personal information on their clients, or receive it as part of a business process, should starting considering today where the servers are that provide the various services they use, and check if the level of consent they have is sufficient to satisfy the new interpretation of the transborder movement of personal information.
For more information: