The Office of the Privacy Commissioner is interpreting PIPEDA’s consent obligations and outsourcing in a way that could have “significant negative consequences for the Canadian economy,” the CBA’s Privacy and Access Law Section says.
In a letter to Innovation, Science and Economic Development Canada, the Section notes that the prevailing interpretation of PIPEDA is that the organization that controls the information is responsible for ensuring that any third-party processor “conducts itself such that the accountable organization may fulfil its obligations under the Act.”
The Section cites the Federal Court’s decision in State Farm Mutual Automobile Insurance Company v Privacy Commissioner of Canada as stating that if the primary activity is not subject to PIPEDA, then the activity remains outside of PIPEDA even if a third party is retained to carry out that activity.
The OPC’s interpretation in its joint report with the B.C. Privacy Commissioner into AggregateIQ Data Services appears to contradict the State Farm decision by stating that AIQ needed to gain consent to process personal data in a mayoral campaign where no privacy law would have applied if the campaign had processed the information itself.
This interpretation, which “is not grounded in the commercial reality of outsourcing relationships,” could put international trade at risk by causing international companies to bypass Canadian data-processing firms. It could also lead to odd results for the public sector, by suggesting that PIPEDA consent obligations apply when a private contractor carries out government work even when consent is not required under public-sector privacy laws.
In fact, the OPC’s interpretation could even exceed Parliament’s legislative authority, and interfere with the ability of governments at other levels to outsource without meeting PIPEDA requirements.
“Further, the OPC’s interpretation would give PIPEDA extraterritorial effects for the processing of personal information of individuals and organizations with no connection to Canada other than use of a Canadian service provider.”
The Section recommends that any amendments to PIPEDA state that Canadian organizations can process personal information on behalf of third parties subject to the same legal regime (or lack thereof) as the original custodian.
“If properly written, this would address some of the gaps related to adequacy that have been experienced under GDPR for international transfers for processing.”