Canada’s comprehensive privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), has permitted companies in receipt of individuals’ personal information to transfer such data outside Canada for processing or storage without the express consent of the individuals. That may change, however.
This potential change arises from the 2017 Equifax data breach. In its wake, Canada’s Office of the Privacy Commissioner (OPC) determined that the personal information of over 19,000 Canadians had been compromised. They had provided their personal information to Equifax Canada, which had transferred their information for processing and storage to its U.S.-based affiliate, Equifax, Inc., the subject of the subsequent breach. Because the cross-border transfer for processing was consistent with the purpose for which the individuals originally provided their data, their express consent to that transfer was not required, pursuant to OPC guidance in place since 2009.
As a direct result of the compromise of the Canadians’ personal information, last month the OPC issued a proposal that would require Canadians’ consent to similar cross-border transfers in the future. It would accomplish this by reclassifying such transfers from “uses” to “disclosures.” A “use” of personal information by a recipient is something consistent with the original purpose for which it was given – e.g., processing or storage – whereas “disclosure” is for a different purpose altogether – e.g., sending it to marketing research or advertising agencies. The former does not require express consent of individuals, whereas the latter does. Thus under the OPC’s proposal, even transfer of data to a U.S.-based affiliate or vendor for storage would require the individual’s express consent. Obtaining express consent would include providing individuals with alternatives to the transfer of their information outside Canada.
U.S. companies that receive personal data of Canadians should be aware that the proposed changes could increase the cost and complexity of cross-border transfers. Their Canadian affiliates may demand more burdensome arrangements and compliance procedures for handling such information.
It remains to be seen whether this proposal will take effect. A comment period on the OPC’s proposal remains open until June 28, 2019.