In its submission to the Office of the Privacy Commissioner of Canada (OPC), the IIAC (Investment Industry Association of Canada) expressed concern about the proposal to require express client consent when personal data is processed outside of Canada for the purposes of providing services (such as payment services, cloud services, and HR and marketing services), or transferred to third parties domestically or internationally for such processing.
The use of third parties to process data outside of Canada is well-established practice, with firms maintaining ultimate responsibility for the safety and integrity of client data. The IIAC strongly believes the proposal will impose a significant burden on both firms and their clients without affording additional investor protection. In addition, the enhanced consent requirement will detract from PIPEDA’s stated goal “to support and promote electronic commerce” in that the costly and unwieldy regulatory burden stemming from its implementation will discourage innovations that promote better client services.
The IIAC believes that relying on the first of the 10 Fair Information Principles of PIPEDA, i.e. “Accountability”, rather than requiring express consent, is appropriate where the transborder data flows and transfers for processing related to standard business practices pertaining to the provision of services for which the client has contracted. This framework for client data protection is consistent with the reasonable expectations of clients.