Earlier this year the Privacy Commissioner launched and then relaunched a consultation that caused shockwaves among privacy lawyers, the tech community, and just about every organization that has third parties process data for them. The OPC sought to change its longstanding interpretation of Canada’s privacy law, PIPEDA, to require the consent of individuals to transfer personal information to a third party for processing.
The OPC received numerous submissions opposing the change including from the CLHIA, Centre for Information Policy Leadership, PMAC, and Canadian Chamber of Commerce. I also wrote a personal submission opposing it and explaining why such a change could not be justified under the wording of PIPEDA or as a matter of policy.
Yesterday, the OPC ended the consultation, dropping the push to change how PIPEDA has been interpreted for over a decade. According to the OPC:
During its consultation, the Office received 87 submissions. Stakeholders, including industry representatives, raised concerns with respect to the position that consent may be required for transfers for processing.
The vast majority took the view there was no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for transfers for processing and that doing so would create enormous challenges for their business processes.
In our view, this is a not uncommon situation where more than one interpretation of the law is possible. The Federal Court of Appeal has mandated that due to PIPEDA’s “non-legal drafting” and the fact that the Act “is a compromise both as to substance and to form”, a special rule of interpretation applies. The Court has held that: “Schedule 1 (of PIPEDA) does not lend itself to typical rigorous construction. In these circumstances, flexibility, common sense and pragmatism will best guide the Court.”
The OPC is applying this pragmatic approach in determining that it will maintain the status quo until the law is changed. To this end, the Office took into consideration the submissions received and the fact that the proposed position is unlikely to be applied in practice until years in the future, likely well after legislation is reformed…
Transfers for processing and cross border data flows can create significant benefits for consumers and organizations. One of PIPEDA’s purposes is to support and promote electronic commerce. However, these transfers create inherent risks for privacy that must be addressed through robust legal protections. In our view, existing privacy protections are clearly insufficient and we will be making recommendations to strengthen the protections in a future law.
The OPC has concluded the consultation and decided against changing the current guidelines for processing personal data across borders.
The Privacy Commissioner should be commended for making this decision, removing the uncertainty introduced by the consultation and the decision in the Equifax case, and for leaving any change in the law to Parliament.