Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

OPC finds that consent is required under PIPEDA for transborder data flows for processing: Consultation on Cross-Border Dataflow

April 10, 2019

The Office of the Privacy Commissioner of Canada (OPC) released its Report of Findings yesterday following the conclusion of its investigation into the 2017 Equifax breach of personal information.  In addition to key findings on security safeguards, the OPC found that Equifax should have obtained express consent from individuals before sending their personal information to its US parent for processing. The OPC indicated that this was particularly so given the sensitivity of the financial data involved and that individuals would not have reasonably expected their data to be transferred to a third party outside of Canada. As a result of this investigation, the OPC and Equifax entered into a compliance agreement under section 17.1(1) of PIPEDA, which requires Equifax to submit third party audit reports to the OPC every two years for a six-year term.

Together with the Report of Findings, the OPC announced that it is launching a consultation on cross-border dataflows given the departure from its 2009 policy position on transborder data flows which required only notice to customers, as opposed to express consent.  The OPC encourages stakeholders to consider the following key points: 

  • A company that is disclosing personal information across a border, including for processing, must obtain consent.
  • Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders.
  • When disclosing personal information to a third party for processing, a company does not relinquish control of the information.

Input from interested parties on its updated policy position, as well as on specific areas for which related guidance would be most needed, can be submitted to the OPC until June 4, 2019

We will be also be discussing the Equifax Report of Findings in greater detail during our next monthly call on April 24, 2019 at 11:30 a.m. EDT.

OPC, PIPEDA Share This