Privacy & Information Security Law Blog

As reported by Bloomberg Law, on May 24, 2019, the Office of the Privacy Commissioner of Canada (the “OPC”) suspended its public consultation on transborder data flows (the “Consultation”). The suspension follows the announcement of the Digital Charter by the Canadian government, which puts forward principles for digital reform, including improvements to Canadian privacy law.

Following the announcement, the Privacy Commissioner of Canada, Daniel Therrien, suspended the Consultation given that a reformed privacy law might address approaches to transborder data flows outside of Canada. While the Consultation is suspended, it has not necessarily concluded and may resume in the future, according to a speech made by Therrien at the 2019 IAPP Canadian Privacy Symposium.

The OPC initially launched the Consultation on April 9, 2019, and proposed a change in policy for cross-border data transfers to include a requirement to obtain consent before exporting data across borders. The OPC also released a supplementary discussion document on April 23, 2019, to further explain the reasons for its proposed change in policy. Currently, transborder data flows outside of Canada rely on the accountability principle, based on guidance from the OPC produced in 2009.

The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) had already responded to the OPC’s Consultation before its suspension. CIPL recommended against the proposed changes to the OPC’s 2009 guidance for the following reasons:

• there is no mandate under PIPEDA to require consent for transfers, whether they be domestic or cross-border (if there were, a public consultation on that point would not be warranted);
• transparency and consent are two distinct elements and any issues surrounding a lack of transparency should be addressed through separate means, rather than through requiring consent (transparency with respect to transborder data flows is already required under the 2009 guidance);
• requiring consent will not add any additional privacy protections to individuals;
• any existing problems to the current approach could be addressed by clarifying organizational accountability and ensuring proper enforcement of this approach;
• requiring explicit consent would be burdensome both for individuals and businesses, confuse individuals and reduce privacy protections;
• the revised OPC approach would be an outlier among transfer regimes globally (the GDPR enables information transfers without relying on individual consent, save in very narrow circumstances, and requiring consent is inconsistent with the APEC Privacy Framework and the APEC Cross-Border Privacy Rules);
• requiring consent is also inconsistent with the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Data Flows; and
• requiring consent would undermine Canada’s commitments in relevant trade agreements, including, the United States–Mexico–Canada Agreement, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the EU-Canada Comprehensive Economic and Trade Agreement.

To read more about these points in detail, please see CIPL’s full response.