November 30, 2020
Whether a Canadian business has operations in the United States, uses a third party from the United States or even stores its information on a cloud server in the United States, it is almost impossible to do business in Canada without a cross-border aspect. Regardless of the level of interaction with our neighbours to the south, differences in privacy law need to be considered and addressed by Canadian businesses as personal information doesn’t necessarily have the same level of protection in the United States.
Unlike in Canada, where the private sector’s use of personal data is supervised by federal or provincial commissioners and ombudsmen, the regulation of the private sector is minimal in the United States. This is primarily because the United States does not have an overarching federal legislation and legislation at state level varies dramatically. For example, some states don’t have any legislation regulating the private sector, while California is on the other end of the spectrum having recently passed far-reaching consumer protection.
The Office of the Privacy Commissioner of Canada (the “OPC”) recently highlighted some of the issues that clients may face while doing business in the United States in a decision with respect to a data breach involving Equifax and Equifax Canada Co. On April 9, 2019, the OPC released its Report of Findings (the “Equifax Report”) regarding a 2017 Equifax data breach in the United States. According to the OPC’s findings, a vulnerability had come to the attention of Equifax two months prior to the breach and it took two months before the breach was noticed. By then, the hackers had accessed payment and credit files for more than 143 million individuals worldwide, including approximately 19,000 Canadians, whose SIN and other accompanying identifiers had been compromised.
The OPC investigated and found that the affected Canadian consumers had purchased or received direct-to-consumer products or fraud alerts from Equifax Canada. During their investigation the OPC found that Equifax Canada’s security infrastructure was highly integrated with its parent company, which raised concerns regarding whether Equifax Canada had adequate accountability for Canadian data processed by its parent company, and obtained valid consent for this processing from individuals. The OPC held that the transfer of information between Equifax Canada and its parent company fit clearly within the accepted definition of “disclosure” and that Equifax Canada had not obtained the required consent from Canadians.
The decision of OPC was a different interpretation than had previously been given with respect to a “transfer” of personal information as opposed to a “disclosure”. Previously, the OPC’s 2009 Guidelines for Processing Personal Data Across Borders stated that transfer was not the same as a disclosure and that assuming the information was being used for the same purpose it was collected, additional consent for a transfer was not required.
Anticipating a response from the business community as a result of its change in position, on the same day it released its Equifax Report, the OPC launched a consultation on trans-border data sharing. A few months later, however, the OPC reframed the consultation as the federal government announced its Digital Charter and published a related white paper which considered amending the Personal Information Protection and Electronic Documents Act. The OPC sought views on both how current privacy legislation should be interpreted and applied in trans-border data transfers and how a future law should provide effective privacy protection.
Privacy and Compliance