Canada is planning to revamp its comprehensive privacy law by repealing the existing comprehensive privacy law, PIPEDA, and by enacting Bill C-27, the Digital Charter Implementation Act (“DCIA”) to enact the Consumer Privacy Protection Act (CPPA), Personal Information and Data Protection Tribunal Act (PIDTA), and Artificial Intelligence and Data Act (AIDA). Bill C-27 replaced Bill C-11 (the former drafts of the CPPA and PIDTA). While the DCIA attempts to rectify some of the criticisms with Bill C-11, many of the problems remain and problems have emerged in the new Bill. This blog series will address some of the more important problems with the DCIA including issues in the CPPA, PIDTA and AIDA. My prior post focused on the purposes of Bill C-27’s preamble and an overview of how the bill fails to meet these purposes. Another post focused on the problems with the “appropriate purposes” override section. This post focuses on the challenges with the amendments to the service provider provisions.
Transfers for processing under PIPEDA
Many organizations provide third parties with personal information to help them carry on their businesses. The organizations obtain consents from individuals for those uses, but not for the myriad of transfers relied on to fulfill the purposes for which the consents are obtained. The practice is pervasive including everything from payment processing, cloud and SAAS service solutions, business processing, and IT outsourcing. Given our integrated economy, especially with the United States, trans-national transfers of personal information take place all the time.
PIPEDA permits transfers of personal information for processing including across borders. It deals with such transfers under the accountability principle in Principle 4.1.3 of the CSA Model Code.
4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The OPC made a number of findings related to transfers of personal information in its complaint investigations over the years. In its 2009 Guidelines for processing personal data across borders it summarized its interpretation of PIPEDA as follows:
- PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.
- PIPEDA does establish rules governing transfers for processing.
- A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
- The transferring organization is accountable for the information in the hands of the organization to which it has been transferred.
- Organizations must protect the personal information in the hands of processors. The primary means by which this is accomplished is through contract.
- No contract can override the criminal, national security or any other laws of the country to which the information has been transferred.
- It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of customer personal information when it is transferred to third-party service providers operating outside of Canada.
- Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
The Guideline has been consistently applied by the OPC, with the exception of during a short period during which the Commissioner re-interpreted transfers of personal information as disclosures and not uses thus requiring consents for such transfers. See, Barry Sookman, OPC consultation on trans-border data flows: my submission to the consultation, Barry Sookman, OPC drops transborder transfer of data consultation.
PIPEDA did not define the phrase “comparable level of protection”. The 2009 Guidelines did, construing it as follows:
“Comparable level of protection” means that the third party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board but it does mean that they should be generally equivalent.
PIPEDA is silent as to whether PIPEDA, or at least some of its provisions, applies to a service provider when its use of personal information transferred is limited to processing on behalf of the transferring party. The OPC in the Equifax decision held, without any analysis of the issue, that the security safeguards principle applies to a service provider independently of its obligations to the transferring party.
The “comparable level of protection” principle creates a number of challenges in practice. Transferring organizations often have different privacy standards from those of their service providers. Some top tier national organizations have very high standards, while small service providers often have PIPEDA compliant standards, but not as high as all of their customers. Conversely, many top tier service providers have very stringent security safeguards, in some cases even higher than those of their customers. The Equifax decision complicated the analysis by raising the question as to whether other PIPEDA obligations applied to the processor, and if so, how these could be reconciled with its status as a processor and not (to use the GDPR vernacular) a controller, the person responsible for making choices as to how personal information is to be used.
Transfers to service providers under CPPA
The CPPA continues to address transfers of personal information under the accountability principle. But, it does so in importantly different ways.
What is a service provider
The CPPA introduces a new term “service provider” to replace the concept of processor. Under the CPPA
service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes. (fournisseur de services).
It is unclear why the CPPA did not continue to use the term “processor”. The term has a well understood meaning such as the use in the GDPR which defines it to mean “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. While a person “that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes” would be a processor, it is uncertain whether every service provider would invariably be a “processor”, though it would be logical to conclude this is what the CPPA intends. There are many other relationships not mentioned such as professional organizations and agents that provide services to organizations. It is doubtful there is a principled reason to distinguish between processors and service providers. The use of the term “subcontractor” is also ambiguous. It may be intended to refer to “sub-processors”, but may also refer to relationships between contractors and subcontractors.
Transfers of personal information do not require new consents
As under PIPEDA, transfers of personal information for processing is permitted without requiring a new consent. S.19 now codifies the existing practical interpretation of PIPEDA stating:
Transfer to service provider
19 An organization may transfer an individual’s personal information to a service provider without their knowledge or consent.
Levels of protection for transferred personal information
Under the s.7(1) of the CPPA, an organization is accountable for personal information that is under its control. Under s.7(2) personal information is under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.
The CPPA departs from PIPEDA in prescribing the level of protection the transferring organization must require from the service provider. The standard that was in Bill C-11 read as follows.
11 (1) If an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as that which the organization is required to provide under this Act.
This standard was changed in Bill C-27 to read:
11 (1) If an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same a level of protection of the personal information asequivalent to that which the organization is required to provide under this Act.
As can be seen, under both Bills C-11 and C-27, the service provider is no longer required to provide a comparable (or equivalent) level of protection to the level of protection given to the information while in the possession of the transferring organization. The level of protection is will now be the equivalent level of protection that transferor is required to give it under the CPPA. This is a major improvement to the current law which requires transferors to ensure that the service provider provides at least a comparable level of protection to what the transferor provides.
The updated standard will likely now also correspond to the separate obligation on the service provider under Section 11(2) of the CPPA to comply with the generally applicable security standard set out in s57 of the CPPA which reads as follows.
57 (1) An organization must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information.
Factors to consider
(2) In addition to the sensitivity of the information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format and method of storage of the information.
Scope of security safeguards
(3) The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.
The revisions to the CPPA related to transferring personal information to service providers now more closely align to the GDPR. Under Article 28 of the GDPR where “processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” The same independent standard is imposed on processors under Article 32, which requires that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” including a number of specifically enumerated measures.
The CPPA does not, however, follow the recent OSFI B-10 draft Guidance on the obligations of FREs to contract for security with third parties where OSFI would permit the service provider to comply with FRFI standards—or recognized industry standards—for mitigating risk.
Notices of security breaches
S.61 of the CPPA adds a new obligation not expressly included under PIPEDA requiring service providers to notify organizations of a breach of security safeguards:
61 If a service provider determines that any breach of security safeguards has occurred that involves personal information, it must as soon as feasible notify the organization that controls the personal information.
This obligation, which also exists under Article 33.2 of the GDPR, is necessary because s.58 of the CPPA also includes the PIPEDA requirements for organizations to provide notices to individuals and the OPC of breaches of security safeguards.
The CPPA is silent with respect to the obligations of service providers to keep records of breaches of security safeguards (in their role of service providers). S.60 of the CPPA includes the obligation on organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control” and “on request, provide the Commissioner with access to, or a copy of, the record”. Since personal information transferred to a service provider is still under the control of the transferring organization, organizations that contract with service providers will have to continue to require that they keep and maintain such records so that the organization can comply with the CPPA.
Trans-border data flows
The CPPA continues to permit organizations to transfer personal information to other countries for processing. The new law will codify the OPC Guidance which requires organizations to be transparent about such practices. This obligation is contained in s.62 which states:
Policies and practices
62 (1) An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.
(2) In fulfilling its obligation under subsection (1), an organization must make the following information available…
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
The CPPA does not adopt the GDPR requirements for adequacy or formalities such as the use of contractual clauses before transfers can be legally effective. However, it accomplishes the intended goal of maintaining adequate standards of protection by the more practical and flexible requirements that the service provider, by contract or otherwise, provide the level of protection that the transferring organization is required to provide and by making the service provider expressly fall under the potentially extra-territorial security safeguards provisions of the CPPA.[ii]
New risks for service providers
The CPPA contains substantively new enforcement powers for the OPC and the new Personal Information and Data Protection Tribunal established under section 4 of the Personal Information and Data Protection Tribunal Act. As service providers are now expressly required to comply with the security safeguards provisions of the CPPA, they can expect to be subject to similar investigative and enforcement measures that apply to other organizations, as they relate to compliance with their obligations under ss.57 and 61 of the CPPA. These will now include being potentially subject to:
- complaints launched by individuals and investigated by the Commissioner under ss.82-93;
- audits of their personal information management practices under s.96;
- compliance orders made by the Commissioner under s.92(2);
- penalties imposed by the tribunal up to the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed under s.94(4); and
- damages at the suit of an individual, or potentially a class, affected by a violation of ss.57 or 61 of the CPPA for loss or injury that the individual (or class) has suffered as a result of the contravention under s106(1).
The increased penalties under the CPPA will unquestionably result in at least some service providers deciding not to do business in Canada or with Canadians. This would reduce service providers to support Canadian businesses and increase the costs to Canadian entrepreneurs and others.
The service provider provisions could be improved if Bill C-27 was amended as follows:
- Recommend: Revert to the broader processor construct instead of the “service provider” construct.
- Recommend: Section 11(1) be amended to clarify that organizations that transfer personal information to service providers require them (by contract or otherwise) to comply with the CPPA standards for security in s.57 of the CPPA or other industry standards.
- Recommend: Revise the enforcement measures to make them more reasonable, proportionate and fair procedurally including so as to not influence service providers to shun providing services to Canadian organizations,
This post is an update to CPPA: transfers of personal information to service providers
** Note this post was updated after original posting.
[i] Service provider obligations: 11(2) The obligations under this Part, other than those set out in sections 57 and 61, do not apply to a service provider in respect of personal information that is transferred to it. However, the service provider is subject to all of the obligations under this Part if it collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred. Also, under s 55(3) “If an organization disposes of personal information, it must, as soon as feasible, inform any service provider to which it has transferred the information of the individual’s request and obtain a confirmation from the service provider that the information has been disposed of.”
[ii] The right to transfer personal information across boarders for processing under generally applicable requirements for security appears intended to also comply with Article 19.11(Cross-Border Transfer of Information by Electronic Means) of the Canada-United States-Mexico Agreement (CUSMA) which states: 1. No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person. 2. This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restriction. See also Article 14.11 of the CPTPP.