Transborder Data Flow Guidelines No Longer on Shaky Ground
Yesterday afternoon the Office of the Privacy Commissioner of Canada (OPC) concluded its consultation on transfers for processing, stating that its 2009 Guidelines for Processing Personal Data Across Borders will “remain unchanged under the current law”. The announcement comes to the relief of businesses who have rightfully maintained that a consent model for transfers of personal information in the context of service relationships would be impractical and incredibly challenging to comply with.
The OPC reminds businesses of the legal requirement to be transparent if their customers’ personal information is being sent to another jurisdiction where it may be accessed by the courts, law enforcement and national security authorities of that country. And the OPC still wants to see PIPEDA reformed to better protect Canadians’ privacy rights when their information is transferred between organizations. However, maintaining the status quo until the legislation is reformed is, in my opinion, the right approach.
In light of this announcement, it would have been appropriate for the OPC to re-draft PIPEDA Report of Findings #2019-001 where disclosures from Equifax Canada to Equifax Inc. were characterized as requiring consent. Nevertheless, it is good to know that businesses can rely on the following considerations under PIPEDA when transferring personal information to a third party for processing:
- A strong service provider agreement must be in place with the third party that outlines personal information handling responsibilities (Accountability principle);
- Personal information must be appropriately safeguarded by the third party entrusted with the data, using strong physical, organizational and technical controls (Safeguards principle); and
- There must be transparency and clarity with regards to: the types of third parties personal information is shared with with in the context of outsourcing relationships; the purposes for which those data transfers occur; and whether those third parties are in countries outside of Canada (Openness principle and the OPC Guidelines for Obtaining Meaningful Consent).
For assistance with ensuring your outsourcing arrangements acceptable from a privacy and data security standpoint, contact PRIVATECH.