Federal Privacy Commissioner Holds Steady on Processing Personal Information Across Borders

September 24, 2019
By Amanda Branch

On September 23, 2019, the Office of the Privacy Commissioner of Canada (OPC) announced that its 2009 guidelines for processing personal data across borders will remain unchanged under the current law.

Earlier this year, the OPC released its Report of Findings on the Equifax investigation, where it determined, on the facts of the case, that consent was required under the current law for the transfer of personal information from Equifax Canada for processing by its US affiliate, Equifax Inc. Because this interpretation was a departure from the OPCs previous position on transfers for processing, the OPC accepted submissions from stakeholders during a consultation period. 

The OPC received 87 submissions. Stakeholders raised concerns with respect to the position that consent may be required for transfers for processing. The majority of the submissions took the view that there is no requirement under the Personal Information Protection and Electronic Documents Act (PIPEDA) to seek consent for this type of activity and that having to do so would create “enormous challenges” for their business processes. 

The OPC will maintain the status quo until the law is changed; however, it reminds organizations of the legal requirement to be transparent about personal information handling practices, including that organizations should advise customers that their personal information may be sent to another jurisdiction for processing and the potential consequences of that transfer. The OPC also reiterated its expectation that organizations apply the guidelines for obtaining meaningful consent (read our article here).

The OPC will now focus its efforts on how to modernize and reform PIPEDA to best protect Canadians’ privacy rights when their information is transferred between organizations.


This site is registered on as a development site.