Privacy officers relieved Canadian watchdog isn’t changing the rules

The federal privacy commissioner’s decision not to change his office’s guidance on whether firms need explicit consent from consumers if they transfer personal data to other countries for processing is being greeted with relief by privacy officers, according to a lawyer.

“Certainly going back to the status quo is what everybody hoped for, what everybody expected,” said Halifax lawyer David Fraser of the firm McInnes Cooper, referring to a decision this week by privacy commissioner Daniel Therrien.

Therrien maintained that firms don’t have to get explicit consent from people whose personal information they have collected if they want to ship the data to the U.S. or other countries for processing. Therrien had raised the possibility in April that guidance might be reversed when he released a decision on the Canadian impact of the huge 2017 Equifax data breach.

Data on 19,000 Canadians was held in the company’s U.S. data centre, and Therrien found there were “significant shortcomings” in its information security. He went on to conclude Equifax’s shifting of data south without explicit consent from each customer was “inconsistent” with the obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

“For consent to be valid, individuals must be provided with clear information about the disclosure, including when the third party is located in another country, and the associated risks,” he said in the decision.

Before making a final decision on that interpretation Therrien said he would consult with industry, which led to his decision announced this week. In it he noted the vast majority of submissions argued PIPEDA doesn’t require explicit consent from consumers if the purpose of a cross-border personal data transfer is only to process the data.

In short, Therrien concluded that he shouldn’t interpret the law. If the law is to be changed Parliament will have to do it.

At the same time he reminded businesses they should at least be clear to customers in general that their personal information may be sent to another jurisdiction for processing, and once there may be accessed by the courts, law enforcement and national security authorities.

“The backlash from privacy professionals was overwhelming and consistently negative,” said Fraser, referring to the chance of a new and possibly onerous explicit consent obligation on businesses. Most of the ones he speaks to feel “nothing’s broken, nothing needs to be fixed.”

Therrien has urged Parliament several times to change PIPEDA and give his office more power to enforce privacy legislation. Along with the suggested re-interpretation of the law on consent and cross-border data transfer, Therrien has also suggested PIPEDA in effect gives Canadians the so-called right to be forgotten on the Internet without changing the law.

“I think what we’re seeing is a privacy commissioner who’s increasingly frustrated with Parliament’s lack of enthusiasm with adopting his recommendations,” said Fraser said. “So he is doing what he can within the statute he has, which in some instances requires some pretty flexible and gymnastic re-interpreting of the legislation in order to get where he wants to go.”

And Fraser doubts Parliament will change the law to require explicit consent for cross-border data transfers. That would likely be seen by other countries as a  non-tariff barrier to trade, he said.

Getting informed consent from people regarding the collection and use of their personal data is one of the thorniest issues in privacy law. In his 2017 report to Parliament, Therrien said organizations need to be clearer about how they collect personal data and what it done with it.

Consumers are “befuddled by incomprehensible privacy policies,” he said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now