Earlier this month, Cybera submitted its response to a consultation issued by the Office of the Privacy Commissioner (OPC) on transfers for processing.
Specifically, the OPC is reviewing how consent and accountability should apply when a “controller” of an individual’s data transfers it to a third party for “processing”.
For example, online stores routinely send a customer’s contact and purchase history information to a third-party customer service agency, to provide 24/7 support to the customer. The question becomes: at what point should the customer be notified (and sign off) on such transfers of information? Particularly if that transformer is crossing national or privacy legislation borders.
“The OPC's long term goal is to ensure effective privacy protection in the context of transborder data flows and transfers for processing, accepting that transborder flows are the subject of international trade agreements and that both domestic and international transfers bring significant benefits to individuals and organizations.”
In this consultation, the OPC asked for comments on the following proposed changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), as well as transfers for processing in general:
- Require demonstrable accountability, including an authority for the OPC to proactively inspect the practices of organizations to ensure they truly are accountable.
- Require organizations to seek meaningful consent when a transfer of personal information entails risk.
- Require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.
In our response to the OPC’s consultation, Cybera made the following recommendations with respect to the issue of transfers for processing:
- Allow for a degree of flexibility in future privacy legislation to maintain a relative free flow of data, including local and transborder transfers for processing.
- Maintain the principles of consent and accountability in future legislation, while allowing for implied consent to apply to transfers (where possible).
- Continue to allow reasonable exceptions for data that is used for academic, scholarly and research purposes, and regulate these uses as a separate legal category from commercial uses.
- Refrain from a regulatory reinterpretation of PIPEDA. Instead, make a legislative amendment to PIPEDA to clarify the matter of consent and data transfers.
- Parliament should give the OPC greater powers to proactively review, investigate, and audit.
- Parliament should give the OPC the power to levy monetary penalties.
- Engage in further study on the relevance of an adequacy model (which considers the level of privacy protection in countries that Canadian data is sent to) for Canada.
- Engage in further study on the matter of transborder data flows as it pertains to Canada’s trade relationships with the US and the EU.
Our full response can be viewed here:OPC Consultation on Transfers for Processing