CMA warns data transfer changes could lead to ‘consent fatigue’

The Canadian Marketing Association is urging the Office of the Privacy Commissioner (OPC) not to change privacy rules in Canada that could make it more difficult for businesses to send consumer data outside of the country for processing.

The changes could come as part of an OPC review of the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC has recommended that any organization handling Canadians’ personal information must obtain consent from the person whose data is being held before it is permitted to exit the country.

“[It] is the OPC’s view that individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country,” said the OPC in a consultation paper issued earlier this yea (the OPC also subsequently issued a standalone discussion document).

This marks a significant shift from OPC guidelines from 2009 which stated that “assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.”

In an article in Canadian Lawyer magazine last month, Lisa Lifshitz, a partner at Torkin Manes LLP’s information technology and business law practice, says the OPC appears to be “reinterpreting PIPEDA” so that it won’t fall behind the European Union’s General Data Protection Regulation (GDPR), which is regarded as the “gold standard” in data security.

The OPC’s recommendations accompanied the April release of its report on the 2017 Equifax data breach, when hackers broke into the credit-reporting and data analytics company and obtained the personal information of 143 million people, including 19,000 Canadians.

During its investigation, the OPC said that it heard from individuals who used Equifax Canada products or services who were “surprised” to discover that their breached personal information was located in the U.S. Canadians were caught up because Equifax Canada sent credit monitoring and fraud alerts to its U.S. parent for processing.

PIPEDA currently states that organizations “shall use contractual or other means to provide a comparable level of protection” when personal information is being processed by a third party. However, the OPC says that the current formulation is “not always effective” in protecting privacy.

It says that a “new factor of uncertainty” surfaced with the May introduction of the federal government’s Digital Charter and an accompanying white paper, Strengthening Privacy for the Digital Age, which includes considerations for amending PIPEDA.

But in a lengthy Aug. 6 letter to the OPC, Sara Clodman, the CMA’s vice-president, public affairs and thought leadership, said that having to provide additional consent for data transfer would not “be in the best interests of consumers,” who would not benefit from any meaningful improvement in privacy protection.

“Instead, the change would contribute to ‘consent fatigue,’ causing consumers to be less likely to carefully review notices and make informed decisions on when to provide their consent, rather than empowering them by improving transparency and strengthening the accountability of organizations to their customers and the public,” wrote Clodman.

She added that requiring consent every time a third-party relationship is explored within each business relationship places an “undue burden” on consumers, who would face frequent and voluminous requests for consent when interacting with an organization that transfers personal information for processing purposes.

Her letter also said that Canadian businesses and organizations would face “complex operational consequences and significant disruption” that could result in interruptions in service and confusion for consumers.

The CMA said that its 400 members “strongly believe” in the strength of the long-established interpretation of data transfer, which states that organizations transferring data to third-party service providers don’t have to obtain additional consent from individuals if other PIPEDA principles are adhered to.

Clodman’s letter also stated that consent is “not a remedy for failure to adhere to other PIPEDA principles,” and offers “no additional meaningful privacy protection” for individuals.

“While consent remains an important aspect of PIPEDA, we must be careful not to place too much emphasis on it alone,” she wrote. “Consent does not waive an organization’s other obligations under PIPEDA, most notably Openness and Accountability, and it becomes superficial in their absence. Whether or not an individual consented to the transfer of personal data for processing would not address the governance issue the OPC wishes to solve.”






Chris Powell