Wednesday, December 11, 2019

Privacy Commissioner again upends the consensus on transfers for processing in Aggregate IQ investigation

You may recall earlier this year when the Canadian Privacy Commissioner completely revised the previous consensus by concluding that a "transfer for processing" was a disclosure that requires consent, along with any cross-border transfer of personal information. The Canadian privacy and business community were shocked by this reversal and the Commissioner eventually reversed this position, returning to the status quo.

Once again, the OPC has upended the consensus on using contractors to process information on behalf of a client.

The Privacy Commissioner of Canada and the Information and Privacy Commissioner of British Columbia together released their reports of findings into Aggregate IQ on November 24, 2019, following their joint investigation of the company. You may recognize the name of the company, as it was implicated in the many international Cambridge Analytica investigations. It was a contractor to the now infamous company that was implicated in a range of mischief related to the Brexit campaign and the US 2016 presidential election.

As a Canadian company, it should not be surprising that Aggregate IQ would come under scrutiny in Canada. What is surprising is that the result of the investigation essentially turns a whole lot of Canadian thinking about privacy and contracting out of services on its head, and also seems to ignore binding precedent from the Federal Court of Canada.

Aggregate IQ is essentially a data processing company that works on behalf of political parties and political campaigns. They take data from the campaigns, sort it, supplement it and sometimes use it on behalf of their clients. They key is that they do this work on behalf of clients.

Superficially, it may make sense to conclude that a Canadian company is subject to Canadian privacy laws. But the working assumption has always been that companies that collect, use and disclose personal information on behalf of clients are subject to the laws that govern their clients and their clients' activities. Those "trickle down" through the chain of contracts and sub-contracts. What's shocking is that the OPC has concluded that compliance with those laws is not enough. Processors in Canada, they say, have to also comply with Canadian laws even when they are incompatible with the laws that regulate the client.

For example, Aggregate IQ did work on a mayoral campaign in Newfoundland. No privacy law applies to a mayoral campaign in Newfoundland, but nevertheless the OPC says that Aggregate IQ needed consent for their use of the information on behalf of the candidate. The campaign did not need consent, but the OPC concluded that by using a contractor, the campaign is subject to more laws and additional burdens than the government of Newfoundland has concluded are necessary. Similarly, the OPC says that Aggregate IQ needed consent under PIPEDA for what they were doing on behalf of US and UK campaigns, even though the activity is largely unregulated in the US and consent is not required in the UK (using legitimate bases for processing under the GDPR). Setting aside whether the campaigns were actually complying with their local laws, the conclusion from the OPC is that additional Canadian requirements will be overlaid on top of the laws that should actually matter and actually have a close connection to what's really going on.

Until this point, the consensus has generally been that when a contractor is handling data for a customer, the obligations that lie on the customer flow down to the contractor. Similar to the “controller” and “processor” scheme in GDPR.

Canadian privacy law applies to the collection, use and disclosure of personal information in the course of commercial activity. And you'd think that Aggregate IQ is engaged in commercial activity so PIPEDA would apply. But that's not the case. If a contractor is collecting, using or disclosing personal information on behalf of a client, you have to look at that client's purposes. The Canadian Federal Court clearly concluded this in State Farm v Privacy Commissioner.* In that case, the OPC asserted its jurisdiction over an insurance company because they were clearly commercial, even when acting on behalf of an individual defendant in a car accident lawsuit. The Federal Court firmly disagreed. One has to look at what's really going on. State Farm was not handling personal information on its own behalf, but on behalf of its insured who was not subject to any privacy regulation for that activity. The same principle applies here. If Newfoundland has decided not to regulate how mayoral candidates collect and use personal information, it makes no difference if they use that information themselves or hire a contractor to do that.

This upends what has been understood to be the way things work. And it has worked.

And it is really bad public policy. It puts Canadian companies at a significant disadvantage in very competitive industries. While many people say that GDPR is much more privacy protective, there are many circumstances where personal data can be processed without consent, but based on a legitimate interest. A company or campaign in Europe would be much better off hiring a European company if hiring a Canadian company meant that the legitimate interest is disregarded and a Canadian consent requirement were superimposed. The same would apply to a Canadian campaign: the campaign that complies with whatever laws apply to it directly is suddenly subject to additional rules if it hires a contractor to carry out what would otherwise be a compliant and lawful activity.

It is also really bad public policy because if you take it to the logical conclusion, it means that Canadian governments cannot hire contractors to process or use personal information on their behalf. All Canadian public sector privacy laws are based on "legitimate purposes", so consent is not required where the collection, use or disclosure is lawfully authorized and legitimate. But this finding by the OPC would say that the contractor has to get consent under PIPEDA for whatever they do for their public sector client. This is not workable and I hope is an unintended consequence.

Beyond that, I'm not sure what to say. It appears that Aggregate IQ has agreed to follow the Commissioner's recommendations, so this will not be given the chance to be corrected by the Federal Court.

How this will play out in future cases remains to be seen.

* I should note that I was counsel to State Farm in that case.