The federal privacy commissioner’s decision not to change his office’s guidance on whether firms need explicit consent from consumers if they transfer personal data to other countries for processing is being greeted with relief by privacy officers, according to a lawyer.
“Certainly going back to the status quo is what everybody hoped for, what everybody expected,” said Halifax lawyer David Fraser of the firm McInnes Cooper, referring to a decision this week by privacy commissioner Daniel Therrien.
Therrien maintained that firms don’t have to get explicit consent from people whose personal information they have collected if they want to ship the data to the U.S. or other countries for processing. Therrien had raised the possibility in April that guidance might be reversed when he released a decision on the Canadian impact of the huge 2017 Equifax data breach.
Data on 19,000 Canadians was held in the company’s U.S. data centre, and Therrien found there were “significant shortcomings” in its information security. He went on to conclude Equifax’s shifting of data south without explicit consent from each customer was “inconsistent” with the obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
“For consent to be valid, individuals must be provided with clear information about the disclosure, including when the third party is located in another country, and the associated risks,” he said in the decision.
Before making a final decision on that interpretation Therrien said he would consult with industry, which led to his decision announced this week. In it he noted the vast majority of submissions argued PIPEDA doesn’t require explicit consent from consumers if the purpose of a cross-border personal data transfer is only to process the data.
In short, Therrien concluded that he shouldn’t interpret the law. If the law is to be changed Parliament will have to do it.
At the same time he reminded businesses they should at least be clear to customers in general that their personal information may be sent to another jurisdiction for processing, and once there may be accessed by the courts, law enforcement and national security authorities.
“The backlash from privacy professionals was overwhelming and consistently negative,” said Fraser, referring to the chance of a new and possibly onerous explicit consent obligation on businesses. Most of the ones he speaks to feel “nothing’s broken, nothing needs to be fixed.”
Therrien has urged Parliament several times to change PIPEDA and give his office more power to enforce privacy legislation. Along with the suggested re-interpretation of the law on consent and cross-border data transfer, Therrien has also suggested PIPEDA in effect gives Canadians the so-called right to be forgotten on the Internet without changing the law.
“I think what we’re seeing is a privacy commissioner who’s increasingly frustrated with Parliament’s lack of enthusiasm with adopting his recommendations,” said Fraser said. “So he is doing what he can within the statute he has, which in some instances requires some pretty flexible and gymnastic re-interpreting of the legislation in order to get where he wants to go.”
And Fraser doubts Parliament will change the law to require explicit consent for cross-border data transfers. That would likely be seen by other countries as a non-tariff barrier to trade, he said.
Getting informed consent from people regarding the collection and use of their personal data is one of the thorniest issues in privacy law. In his 2017 report to Parliament, Therrien said organizations need to be clearer about how they collect personal data and what it done with it.
Consumers are “befuddled by incomprehensible privacy policies,” he said.