On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPCC) published PIPEDA Report of Findings #2019-001 regarding the 2017 Equifax data breach. This breach involved approximately 19,000 affected Canadians whose detailed and sensitive personal information was shared by Equifax Canada Co. with its parent company, Equifax Inc. in the United States. Essentially, the breach involved Canadian consumers who purchased or received direct-to-consumer products or fraud alerts from Equifax Canada Co. At issue was the adequacy of safeguards by Equifax Inc., as well as whether Equifax Canada had adequate accountability for Canadian data processed by Equifax Inc., and had obtained valid consent for this processing from individuals. Given that certain information compromised in the breach should not have been kept as long as it had, the investigation also examined Equifax Inc.’s data destruction practices.
The decision provides guidance and an analysis of key security practices such as vulnerability management, network segregation, implementation of basic security practices including detailed access logs, separation of test and production data, and effective security training. With respect to security oversight the decision states “the existence of a clear disconnect between policies and practices in a range of security domains demonstrates that Equifax Inc.’s security program had critical gaps, and that therefore the oversight mechanisms were inadequate.”
This notable decision put Equifax on a six-year fairly onerous “compliance agreement” and also resulted in the OPCC launching a consultation for its plans to revise its 2009 policy position on trans-border data flows under the Personal Information Protection and Electronic Documents Act (PIPEDA). The suggestion that companies need consent in order to transfer data across borders may result is a new and significant obligation for companies to address. June 4, 2019 marks the deadline for responses to the consultation.
Canada has become increasingly resistant to free-flowing borders, and part of the hesitation comes from the perceived way in which American companies use personal information. Although the legal and business communities have raised alarm bells about the practicality of a consent model for disclosures to related companies or service providers, the result of the consultation will in my view simply stress what we already know – transparency is key. This would be fully in line with the OPCC’s Guidelines for obtaining meaningful consent.
As stated in the consultation document’s key points: “…organizations must make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service. Depending on the circumstances, a transfer for processing may well be integral to the delivery of a service and in such cases, organizations are not obligated to provide an alternative. Nonetheless, by being provided with clear and adequate information about the nature, purpose and consequence of any disclosure of their personal information across borders, individuals will be able to make an informed decision about whether to consent to the disclosure and therefore do business with the organization.”
The question becomes, how will the Commissioner land on what is “integral to the delivery of service”? If sending data across the border is integral to keeping an organization’s costs down, can an organization impose a ‘take it or leave it’ data sharing model? In the digital economy, cross-border data transfers are the norm, and how data transfers are characterized in light of PIPEDA is a delicate topic. Hopefully accountability and transparency will be stressed in a way that supports businesses and protects consumers in a balanced, principled approach that is central to Canada’s privacy framework.
For more information about these recent developments or for guidance on your organization’s consent practices, contact PRIVATECH.