The wrong test case for data transfers
The Equifax data breach was a teachable moment, but it seems the Office of the Privacy Commissioner may have learned the wrong lesson.
The OPC reframed a previous consultation document on transborder data transfers following a report on the Equifax case, and redefined some standard terms in an effort to address that case.
The current discussion, the CBA’s Privacy and Access Law Section says, seems to be driven by the investigation into Equifax Canada and its U.S. affiliate, which “presented unique facts, uncommon in the usual circumstances of transfer of personal information.”
The Section says the Equifax case is not about data transfer – the core of the case is the fact that consumers were misled about who was in control of their information. Neither Equifax Canada nor its U.S. affiliate were open about the flow of personal information, and they never sought appropriate consent to collect that information.
“This case was not about transborder transfers or outsourcing,” the Section says. “This case was about a lack of meaningful consent (who was the actual party to which consent was being given) and a failure of accountability. Consequently, with the Equifax facts, the most significant privacy issue lies not in the transfer of data. Rather, the issues are ones of accountability, transparency and consent…”
The issues that arose in the Equifax case won’t come up in the majority of cross-border data transfers, the Section says, adding it’s “inadvisable” to change the privacy landscape for transfers of personal information based on an unusual set of circumstances.
In a 2009 guidance document, the OPC defines a data transfer as a use by a third party on behalf of the transferor– for example, if your employer sends your data to a third-party company that prepares paycheques. A disclosure, on the other hand, is when the third party collects your personal data from your employer and uses it for its own purposes – targeted marketing, for example. In the current consultation, the OPC suggests the 2009 interpretation was wrong: a transfer is a disclosure.
“In our view, the proposed new interpretation is unsupported by accepted principles of statutory interpretation, specifically consideration of the context in which the relevant terms are used in PIPEDA and the intentions behind the relevant statutory provisions,” the Section says. “It is also inconsistent with the understood and accepted scheme of privacy protection reflected in PIPEDA and other Canadian private sector privacy laws…”
The Section reviews how the terms are treated in other jurisdictions, provincially and internationally, as well as the need for the legislative regimes to speak the same language and be consistent with international norms. A lot of that discussion focuses on consent – implied vs. express, and when each might be necessary.
The OPC should also consider the impact of a significant policy change on organizations that may not be directly subject to Canadian privacy law, like the not-for-profit sector.
“Requiring express consent for outsourcing or even transborder transfers will have significant implications for charities and not-for-profits who are either subject to PIPEDA or choose to comply with PIPEDA and the CSA Model Code … By reversing its well-settled position that a transfer for processing is a ‘use’ of information and not a ‘disclosure,’ and by requiring meaningful consent, and possibly even express consent, to such transfers, the OPC would impose additional costs and onerous requirements on a sector needing ‘to do more with less’ and facing a steady decline in charitable giving.”