• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management ESG Strategy and Solutions Governmental Affairs & Public Policy
View Client Work
International Experience
Insights News Events
New Energy Economy Series Business Law Talks Podcast Economic Outlook
ESG & the CIO Subscribe
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Changes to Cross-Border Data Flow Consent Requirements: Is Your Privacy Policy Still Compliant?

April 30, 2019

Written By Ruth E. Promislow, J. Sébastien A. Gittens, and Katherine Rusk

Seeking input from interested third parties, the Office of the Privacy Commissioner of Canada (OPC) announced a revision to its policy position on transborder data flow under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) through the recent release of a consultation document (the “Consultation Document”) and a supplementary discussion document.

The key points from the Consultation Document include the following:

  • Organizations in Canada that disclose personal information across a border—including for processing—must obtain consent for this transfer.
  • Transfers of information for processing require consent as they involve disclosure of personal information from one organization to another.
  • For consent to be valid, individuals must be provided with clear information about any disclosure to a third party, including when they are located in another country, and the associated risks.
  • When determining the form of consent (express or implied), companies will need to consider the sensitivity of the information and the individual’s reasonable expectations.
  • Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders. However, where the transfer of information for processing is integral to the delivery of a service, organizations are not required to provide an alternative.
  • The new policy position includes not only cross-border transfers between controllers and processors, but also other cross-border disclosures of personal information between organizations.

The Consultation Document represents a shift in approach from that set out in the OPC’s 2009 Guidelines for Processing Personal Data Across Borders, which provided, among other things, that "a transfer for processing is a "use" of the information; not a disclosure." The change under which cross-border data transfers will be considered a "disclosure" and not a "use" of personal information would help position Canada's privacy rights closer to the European General Data Protection Regulation (GDPR).

In the supplementary discussion document, the OPC set out that the change in its position is based in part on findings from its investigation into Equifax's 2017 data breach. The OPC concluded that "a transfer of personal information between one organization and another clearly fits within the generally accepted definition of 'disclosure'." The supplementary discussion document also states that along with consent, the principles of accountability and openness under PIPEDA apply.

This proposed policy position from OPC has implications with respect to the consent required to transfer an individual’s personal information across a border. Under this new policy direction, further disclosure and express consent may be required to the extent that personal information is being disclosed to a third party in a different jurisdiction. As stated in the supplementary discussion document, the OPC's change in position will "require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers."

To ensure compliance under PIPEDA, organizations should: (i) identify and map how personal information is collected, used/processed, stored, transferred and disclosed, and (ii) assess whether adequate consent has been obtained. This is particularly so given the policy position stated in the Consultation Document.

At this stage, organizations are encouraged to provide comments to the OPC with respect to the Consultation Document by June 4, 2019. The Cybersecurity and Data Privacy team at Bennett Jones is available to assist your organizations to do so, and answer any questions you might have about your organization’s privacy obligations.

Download PDF

Authors

  • Ruth E. Promislow Ruth E. Promislow, Partner
  • J. Sébastien A. Gittens J. Sébastien A. Gittens, Partner, Trademark Agent

Celebrating our Centennial Chronicle

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Ontario Court Refuses to Certify Class Proceeding [...]

February 08, 2023
       

Blog

Competition Act Review Threshold Remains Same for [...]

February 07, 2023
       

Blog

Land Rich, Cash Poor: The Impacts of the PPCLA and [...]

February 06, 2023
       

Blog

What Canada's New Forced Labour Reporting Law (Bill [...]

February 06, 2023
       

Blog

Alberta Court Confirms Exclusive Jurisdiction of Labour [...]

February 03, 2023
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2023. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones