Dear M. Therrien:
Thank you for the opportunity to provide input into the consultation on whether consent is or should be required for transborder data flows for processing.
Introduction
By way of introduction, I am a senior technology lawyer with McCarthy Tétrault. I have significant experience in outsourcings of all types, both domestic and trans-national. I have been involved in some of Canada largest and most complex outsourcing transactions. In this connection, and as part of my privacy practice, I regularly advise clients on privacy issues associated with transfers and disclosures of personal information. I also teach privacy at Osgoode Hall Law School as part of an intellectual property law course. I also have written extensively about privacy issues including a major chapter in my eight volume book on Computer, Internet, and ecommerce Law. As such, I respectfully submit I am well positioned to provide both theoretical and practical input into the consultation.
The reframed consultation document makes a number of statements about policy that I support. In particular,
- “…we firmly believe the government has an obligation to protect the privacy of its citizens through the adoption of effective privacy laws”.
- Our privacy framework should be “designed to ensure the continued free flow of personal information across borders while establishing meaningful protection for privacy and security of personal information.”
- “The OPC’s long term goal is to ensure effective privacy protection in the context of transborder data flows and transfers for processing, accepting that transborder flows are the subject of international trade agreements and that both domestic and international transfers bring significant benefits to individuals and organizations.”
- “Accountability is an important privacy safeguard in the context of transfers. Principle 4.1.3 of PIPEDA currently provides that organizations ‘shall use contractual or other means to provide a comparable level of protection’ when personal information is being processed by a third party.”
In my view a transfer of personal information purely for processing purposes is not, and should not be, regarded as a disclosure requiring consent under PIPEDA. Reading such a new requirement into PIPEDA is not required to protect the public, it cannot be justified when construing PIPEDA under well established canons of interpretation, and would have detrimental consequences that would inhibit legitimate uses of personal information and create barriers to trade and innovation.
In my view, upending PIPEDA to read in a new consent requirement for transfers of personal information for processing purposes is an unnecessary solution in search of a non-existing or pressing problem.
Proper Interpretation of PIPEDA
The OPC had, prior to its decision in Equifax, consistently in its 2009 Guideline and in seminal decisions directly on the issue, held that transferring personal information solely for processing purposes was a transfer and not a disclosure of personal information.[1] The distinction between a disclosure and transfer for processing was also recently reiterated by the OPC in its Guidelines for Obtaining Online Consent.[2]
In Equifax, for the first time, the OPC changed its interpretation of PIPEDA. However, in Equifax the OPC did not provide any analysis that explained why the change in interpretation was needed as a matter of statutory interpretation or policy only stating in the decision:
101 At the same time, these transfers for processing from Equifax Canada to Equifax Inc. constitute disclosures of personal information under the meaning of PIPEDA Sections 7(3), and 4.3.[3]
111 However, as noted in para. 101 above, we acknowledge that in previous guidance our Office has characterized transfers for processing as a ‘use’ of personal information rather than a disclosure of personal information. Our guidance has also previously indicated that such transfers did not, in and of themselves, require consent. In this context, we determined that Equifax Canada was acting in good faith in not seeking express consent for these disclosures.
In the Consultation Document, the OPC claims the change in interpretation “is based ultimately on our obligation to ensure that our policies reflect a correct interpretation of the current law.” The OPC correctly referred to the relevant principles of statutory interpretation being that the construction of PIPEDA “must of course be based on the text adopted by Parliament, read in its entire context and in its grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament”. However, in coming to its conclusion, the OPC did not properly apply these principles.
The OPC’s reasons for assimilating the term “transfer” as a “disclosure” is contained in the following paragraph:
During the Equifax investigation, it became apparent that the position that a transfer (i.e., when a responsible organization transfers personal information to a third party for processing) is not a “disclosure” is debatable and likely not correct as a matter of law. In our view, a transfer of personal information between one organization and another clearly fits within the grammatical and ordinary sense of “disclosure”: « make known, reveal » (Canadian Oxford English Dictionary). This is also the meaning of the term “disclosure” in the Privacy Act, the other principal law of the Parliament of Canada in relation to the protection of personal information. In addition, a number of provincial statutes in Canada, deemed substantially similar to PIPEDA, either consider transfers for processing as disclosures, or adopt specific rules for these activities and, notably, explicitly exempt these activities from a consent requirement. PIPEDA has no such explicit exception.
As can be seen from the above, the OPC asserts that a transfer of personal information fits within the grammatical and ordinary sense of “disclosure” because the information is made known or revealed to the transferee. It is possible that the term “disclosure” can be interpreted broadly to include transfers of personal information. However, in its ordinary and grammatical meaning, particularly in the context of Principle 4.1.3, it cannot easily be construed to cover transfers. The OPC did not analyze why personal information transferred for processing is made known or revealed. In many cases, it is not. The ordinary meaning of the term “processing” in the computer context (according to Collins English Dictionary) is an “activity of performing mathematical and logical operations on data according to programmed instructions in order to obtain the required information”. In many outsourcing situations the data transferred to a third party is encrypted and cannot be accessed or viewed by the processor. Contractual and technical restrictions frequently also prohibit any access or review of data processed, even if not encrypted. The processing is frequently achieved by using programmed computers which act on the information to produce a result for the controller of the information. It strains the meaning of the term “disclosure” to apply it across the board to these situations.
The terms “disclose” and “disclosure” are used repeatedly in PIPEDA, frequently, but not always, in connection with the terms “collect’ and “use”. The term transfer is used in Section 33[4] as well as in Principle 4.1.3. The use of these different terms throughout PIPEDA strongly signals that Parliament intended them to cover different acts. If Parliament (and the drafters of the CSA Model Code) had intended transfers for processing to mean “disclosures” to a third party for processing it would have used that term.
Moreover, at the time PIPEDA was enacted there was a well known distinction in privacy law between transfers of personal information for processing (which did not require consent) and disclosures of personal information which, depending on the circumstances did require consent. This distinction was exemplified in the 1995 EU Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (later superseded by the GDPR). The Directive did not treat a transfer of personal data for processing[5] as a disclosure requiring consent. Rather, having recognized the importance to trade of the ability to transfer data for processing,[6] it established an express regime permitting transfers of personal data (using the term “transfer”) where the third country ensured an adequate level of protection or where derogations existed such as the consent of the data subject to the transfer.[7]
The drafters of the CSA Model Code (which was incorporated into PIPEDA) were clearly aware of, and were influenced by, this framework which is reflected in the choice of the words used in Principle 4.1.3. It also influenced the adoption of the accountability principle as a means of ensuring adequate levels of protection where personal information is transferred for processing.
The OPC asserts, in support of its conclusion, that the term disclosure is defined in the Privacy Act as including a transfer. However, that Act contains no such definition. The OPC refers to the Treasury Board, Directive on Privacy Practices, 6.2.22 and Appendix A: “Definitions”. The Directive defines “disclosure” to mean “The release of personal information by any method (e.g., transmission, provision of a copy, examination of a record) to any body or person.” While the language may be broad, its focus is on the means of providing information (including by transmission). It does not, however, as implicitly suggested by the OPC, cover the purposes of the transmissions or suggest that transfers for processing would be included.
The OPC also asserts, in support of its conclusion, that a number of provincial statutes in Canada, deemed substantially similar to PIPEDA, consider transfers for processing as disclosures, or adopt specific rules for these activities and, notably, explicitly exempt these activities from a consent requirement. In footnotes the OPC refers to British Columbia’s Personal Information Protection Act, But, the BC PIPA doesn’t appear to have a provision that supports this assertion. It also refers to New Brunswick’s Personal Health Information Privacy and Access Act. The NB PHIPAA does have an express provision that regulates a custodian’s providing personal health information to an information manager for processing, requiring, for example, a written agreement. The structure of the NB PHIPAA is quite unlike PIPEDA and it is uncertain how its provisions can be usefully compared to PIPEDA. This is especially the case as PIPEDA is a statute of general application while the NB PHIPAA’s focus is on personal health information.
The Consultation Document also does not refer to other provincial laws that are substantially similar to PIPEDA that do not treat a transfer for processing as a disclosure. For example Ontario’s Personal Health Information Protection Act (PHIPA), like PIPEDA, treats such transfers as a use and not a disclosure.[8] The Alberta Personal Information Protection Act (PIPA) has an express provision requiring that individuals be notified before information is transferred for processing outside of Canada.[9]
In summary, the language and structure of PIPEDA, its legislative history, and the other Canadian privacy laws do not support the OPC position that a transfer for processing is a disclosure requiring consent. The current OPC position would, in fact, be in conflict with these laws.
Policy Considerations
The OPC has not clearly stated why its prior interpretations of PIPEDA is inadequate to protect the public. In Equifax, which led to the OPC’s re-assessment of the law, the OPC made clear findings that the accountability principle applied and ruled that the complaint was well founded in this regard. The OPC also used that occasion to set out a very robust interpretation of the principle. The OPC decision in the recent Facebook decision also found the complaint against Facebook well founded based on this principle. Rather than showing any need for a re-interpretation of the law, these decisions show that the accountability principle sets a high bar that organizations must meet.
I have negotiated numerous agreements that involved transfers of personal information for processing outside of Canada. In my experience, organizations take this principle extremely seriously and a great deal of time is spent in negotiations to ensure compliance. To the extent that some organizations may have been lax in meeting this principle, the decisions in Equifax and Facebook have underscored its importance. If there is a problem it is the lack of meaningful sanctions for a breach of the principle, not with the principle itself. Some organizations have, in fact, revisited their template outsourcing and privacy templates to ensure compliance following the release of the Equifax decision.
The Consultation Document also refers to the adequacy principle which has been adopted internationally stating:
More generally, we firmly believe the government has an obligation to protect the privacy of its citizens through the adoption of effective privacy laws. In the context of transborder data flows, this has led several countries (including members of the European Union, as well as Japan, Malaysia, Brazil, Colombia, Morocco and Tunisia) to adopt adequacy regimes, whereby the personal information of citizens protected by national laws may only be transferred outside the country, generally, where the receiving country has laws that were found to provide an adequate level of protection. Transfers to countries whose laws were not found adequate are also possible under other measures, such as standard contractual clauses approved by a public authority, usually domestic regulators. In Canada, the adoption of an adequacy regime may be too fundamental a change to consider; in addition, the efficacy of such a regime is not universally recognized. In our view, adopting a regime of standard contractual clauses, as described, should seriously be considered as it would again add a level of review by an independent public authority.
PIPIDA’s accountability principle accomplishes the same objectives as the adequacy regimes and was undoubtedly influenced by the EU Directive approach to ensuring the protection of personal data when transferred for processing. PIPEDA has been found by the European Union to meet its adequacy standard. The accountability principle helps meet the adequacy standard applied to cross border sub-processing of European data. It also shows that Canada’s privacy law meets international standards in this regard. In fact, by requiring a “comparable level of protection” it may even require organizations to better protect personal information processed abroad such as where organizations have standards for protecting personal information that exceed those mandated by PIPEDA. Further, the accountability principle provides flexibility in how personal information can be protected when transferred for processing. The prevalence of the adequacy principle around the world and the analogous role accomplished by the accountability principle strongly shows there is no cogent policy need to read into PIPEDA a new consent requirement.
The Consultation Document doesn’t explain why adding a new consent requirement into PIPEDA would enhance privacy in Canada. It notes that under the 2009 Guideline
“Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”
Adding a new consent requirement would not result in any real practical benefits to consumers over the notice requirement. Most organizations would likely only include the requirement for consent in their privacy policies, the same place they provide the notice.
A new requirement for consent would, however, have significant detrimental impacts on Canadian organizations. While the OPC characterises the issue as one addressing trans-border data processing, it is much broader as the disclosure principle applies regardless of whether the disclosure is to a person inside or outside of Canada.
Canadian businesses are under intense pressure to innovate and be and remain competitive. This requires them to continually evaluate and re-evaluate what processes they can have performed by others. The OPC suggested in the Facebook decision that organizations must obtain consents in a clear, comprehensive and understandable manner and should be presented in a timely manner, such that users have the relevant information and context needed to make an informed decision before or at the time when their personal information is collected, used or disclosed. Meeting this standard would be problematic where consents may be required for the numerous contractors and subcontractors and other third party suppliers that companies may use from time to time.
Further, if a transfer for processing is viewed as a disclosure requiring consent, then if an individual refuses to consent, organizations would have determine if they could refuse to provide a product or serviced to the individual in view Principle 4.3.3 of PIPEDA which states:
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
An interpretation of this principle that permits one or more individuals to veto how an organization processes personal information could have an extremely disruptive effect on legitimate processing. If, however, an organization can refuse to provide a service that uses foreign processors to an individual that does not consent, a position that the OPC appears to have accepted in the original consultation document,[10] then the requirement for consent will add little practical incremental benefit over notification to individuals, but would still burden organizations with obligations to seek consents. It would also likely result in consumer frustration because it would create an expectation that individuals have a right to refuse consent but would see this undermined when denied a product or service because of the refusal.
Canadian organizations are also frequently only one part of global supply chains. Personal data is often transferred from other jurisdictions such as the European Union into Canada. It is then often transferred to other third parties for sub-processing or further processing. Canada can participate in these global supply chains because PIPEDA does not require transfers for processing (or sub-processing) as requiring consents. However, this re-interpretation of the law by the OPC, if allowed to stand, would make Canada an unwelcome place to locate data centres or to process personal information. This interpretation of the law would operate as a trade barrier that would put Canadian businesses at a disadvantage. It would also undermine other government policies to promote innovation and Canada’s success in the fourth industrial revolution which is highly dependant on the free flow of data across borders.
In summary and in answer to your questions:
1.How should a future law effectively protect privacy in the context of transborder data flows and transfers for processing?
- Parliament achieved the appropriate balance in PIPIDA with the accountability principle. This principle is built on evolving requirements to protect personal information from security and related threats. No changes are required in this framework.
- The decision in the Equifax case has created uncertainty in Canadian law. It is submitted that the law was clear prior to the decision in Equifax and that prior decisions were fully consistent with established principles of statutory interpretation.
2. Is it sufficient to rely on contractual or other means, developed by organizations and reviewed only upon complaint to the OPC, to provide a comparable level of protection? Or should a future law require demonstrable accountability and give a public authority, such as the OPC, additional powers to approve standard contractual clauses before they are implemented and, once they are adopted, proactively review their implementation to ensure a comparable level of protection?
- The OPC has the power to investigate compliance with PIPEDA already. See, Section 11(2). There is no special need for additional powers to solely address trans-border data flows. The need for any expanded powers should be assessed having regard to PIPEDA as a whole
3. How should a future law effectively protect privacy where contractual measures are unable to provide that protection.
- If contractual or other measures are insufficient to protect privacy in the context of trans-border data flows, the problem does not arise from the accountability principle which is consistent with international standards. Rather, any such problem would stem from what may be perceived by offenders as the lack of any robust sanction for violation of the principle. Measures needed to improve compliance should be considered as part of a broader review of PIPEDA.
4. In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
- The principle does not apply for the reasons given above. In my view, the reasoning outlined in the Consultation Document is incorrect.
5. Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
- It does not for the reasons given above. If Parliament had intended consent to apply, Principle 4.1.3 would have been worded differently to refer to a “disclosure” for processing.
6. What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019?
- There should be no requirement for consent for the reasons given above. It would not provide any meaningful incremental benefits to individuals, it would be disruptive to supply chains and to innovation, and would be inconsistent with international standards.
7. Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
- Yes, it would significantly affect organizations, as explained above.
8. Any other comments or feedback you think may be helpful.
- Individuals and organizations depend on the OPC to protect privacy while at the same time facilitating legitimate uses of personal information to conduct their operations. Organizations have already structured their privacy compliance program to conform to the OPC’s interpretation of the law in the 2009 Guideline and decisions prior to the decision in Equifax. The public expects that the OPC will, like other regulatory bodies, provide consistent guidance and make decisions that follow established precedents. This is a fundamental hallmark of good administrative and regulatory practice. The Equifax decision and this consultation has given rise to significant consternation because of the OPC’ unilateral reversal of well established guidance and decisions and because the significant ramifications of the decision that may not have been taken into account. I respectfully submit that the OPC should quickly announce it will revert to its prior position pending any change or clarification of the law by Parliament.
____________________
[1] See, PIPEDA Case Summary #2008-394, PIPEDA Case Summary #2007-365, PIPEDA Case Summary #2005-313.
[2] “Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.”
[3] [footnote 13] “Our Office recognizes that this position represents an evolution from previous findings and guidance by our Office, where transfers for processing have been characterized as a ‘use’ of personal information rather than a disclosure. In the interests of clarity on a going forward basis, we intend to provide further guidance in relation to consent for disclosures which also constitute transfers for processing.”
[4] 33 “A minister of the Crown and any department, branch, office, board, agency, commission, corporation or body for the administration of affairs of which a minister of the Crown is accountable to the Parliament of Canada may use electronic means to create, collect, receive, store, transfer, distribute, publish or otherwise deal with documents or information whenever a federal law does not specify the manner of doing so.”
[5] The Directive defined “’processing of personal data” or “processing” as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.
[6] See Recital (56) “Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;”
[7] See Articles 25 and 26.
[8] See, s. 37(2).
[9] Seem ss 13(2) and (3).
[10] “In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”