On August 4, 2020, the Office of the Privacy Commissioner of Canada (the OPC) issued PIPEDA Report of Findings #2020-001 (the Report), which concluded that a Canadian financial institution (the FI) had complied with its obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) in connection with outsourcing aspects of its fraud claims processing services to a third party service provider located in India. Importantly, the OPC found that FI was not required to obtain consent from its customers to transfer personal information to its service provider, signifying a commitment to the OPC’s original policy position on cross-border transfers of personal information.
PIPEDA does not contain obligations that are specific to cross-border transfers of personal information and does not distinguish between domestic and international transfers of personal information. Instead, the OPC has established the requirements for the transfer of personal information across borders through guidance documents and investigations, including the OPC’s 2009 document Guidelines for processing personal data across borders (the 2009 Guidelines). As articulated in the 2009 Guidelines, the OPC had previously taken the position that organizations are not required to obtain consent from individuals to transfer their personal information for the purposes of processing, regardless of the jurisdiction of the third party, provided the personal information was used by the third party service provider for the purpose for which it was originally collected.
In April 2019, in a diametric reversal of the OPC’s prior policy position, the OPC held in PIPEDA Report of Findings #2019-001 that an organization was required to obtain additional consent from individuals prior to the transfer of their personal information across provincial or national borders to a third party service provider for processing. The OPC’s new position, presenting potentially significant compliance issues for organizations that outsource to third party service providers, was widely criticized for its impracticability.
Following a lengthy consultation process, in September 2019 the OPC concluded there would be no change to its requirements for transfers of personal information and there were therefore no new obligations for organizations engaging in transfers of personal information to other jurisdictions for processing. For more information on the OPC’s policy position reversal and consultation process, please see BLG Bulletins “OPC Maintains Status Quo as it Concludes Consultation on Cross-Border Dataflows” and “Important Privacy Commissioner Consultation Impacting Cross-Border Dataflows and Outsourcing”.
The Report related to a complaint made by a former employee of the FI, which alleged FI did not obtain consent for, or allow customers to opt out of, the transfer of personal information in connection with FI’s outsourcing of certain aspects of its fraud claims processing services to a third party service provider located in India. The complaint further alleged that FI had not been sufficiently open about its outsourcing practice.
In the Report, the OPC addressed whether FI had complied with the principles of consent, openness and accountability, three of the internationally recognized Fair Information Principles on which PIPEDA is based.
The OPC first addressed whether FI was required to obtain additional consent to transfer its customers’ personal information to the third party service provider in India. The OPC relied on its 2019 Guidelines, which explain that when an organization transfers personal information to a third party service provider for processing, the service provider can only use the personal information for the purposes for which the personal information was originally collected. If the service provider uses the personal information for any other purpose, the organization must obtain additional consent for the transfer of that personal information to the service provider. The OPC reviewed FI’s account agreement, privacy agreement and privacy code, and found that each document stated that FI may use its customers’ personal information to help protect against fraud, among other purposes. Accordingly, since the third party service provider was using FI customers’ personal information for the same purpose for which FI had collected the personal information, additional consent was not required.
The OPC then addressed whether FI had been transparent about its use of the third party service provider. The OPC found that FI’s privacy agreement and privacy code each stated that FI may transfer personal information to third party service providers, and FI’s “privacy highlights” webpage further stated that those service providers may be located in other jurisdictions. In addition, FI provided this information to each of its customers in a timely manner when each customer applied for a FI product. Finding that FI had readily made “prominent, clear and understandable information” available about its outsourcing practices, the OPC held FI was sufficiently open about its outsourcing practices.
Lastly, the OPC addressed accountability. While the complaint did not directly raise the issue of accountability, the OPC found it appropriate to address given FI’s outsourcing activities were the subject matter of the complaint. The OPC reiterated that the accountability principle imposes accountability on an organization to provide a “comparable level of protection” for personal information transferred to a service provider. Further, the measures appropriate to provide that protection must be equivalent to the sensitivity of the personal information and will depend on the circumstances at hand. The OPC reviewed FI’s services agreement with the third party service provider and its outsourcing practices and found that FI implemented a number of contractual and other measures designed to protect personal information transferred to its third party service providers. These include conducting risk assessments; requiring its service providers to implement employee monitoring, employee training, work environment controls, and access and other cybersecurity controls; and engaging in monitoring and enforcement of its service providers’ contractual obligations. These contractual and other measures were appropriate under the circumstances at hand and the OPC held that FI remained accountable for personal information transferred to the third party service provider.
For those reasons, the OPC concluded that the complaint was not well founded.
The OPC’s Report provides important guidance for organizations that outsource business functions to third parties, including tangible examples of the ways in which an organization may satisfy its accountability obligations under PIPEDA when transferring personal information to a third party service provider.
In addition, the Report is the first report of findings issued by the OPC following a turbulent year of changes to the privacy law requirements for cross-border transfers of personal information. The Report affirms the OPC’s commitment to its prior policy position that a transfer of personal information to a service provider for processing does not require additional consent, regardless of the location of the third party service provider, and elucidates helpful guidance for organizations that engage cross-border service providers.
Organizations should note that other OPC guidance still applies to transfers of personal information for processing, including the 2009 Guidelines and the OPC’s Guidelines for obtaining meaningful consent.