It’s Beginning to Look a lot like GDPR – PIPEDA Amendments Threaten Balanced Approach to Privacy in Canada

Last week, IAB Canada hosted a privacy webinar where we discussed privacy developments from across the globe.  One of the key highlights we covered was an alarming update received from the Office of the Privacy Commissioner (OPC) concerning a proposed amendment to PIPEDA that consent will soon be required for any trans-border data flows used for processing. This announcement is concerning to virtually all IAB Canada members as the existing requirement for trans-border data flows is limited to disclosure or “notice” – not expressed consent.

This move signals the OPC’s focus towards stricter, GDPR-like legislation and is a significant departure from PIPEDA’s balanced structure, which has historically provided strong consumer protection while allowing just enough flexibility for the digital advertising industry to innovate alongside.

Two points from the OPC’s underpinning rationale include their view that:

  • “individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.  Whether this affects their decision to enter into a business relationship with an organization or to forego a product or service should be left to the discretion of the individual. “
  • “An organization that processes personal information on behalf of another organization may still have obligations under the Act in respect of the personal information in its possession or custody, as an organization that collects, uses or discloses personal information in the course of commercial activities.”

This is a fundamental departure from OPC’s original “Processing Personal Data Across Borders” guidelines issued in January 2009. These original guidelines state that “assuming information is being used for the purpose it was originally collected, additional consent for the transfer is not required”, unless an exception is applied.

IAB Canada and its members hold the position that the new requirements are unreasonable, and that this new interpretation of the law has the potential to negatively affect Canada’s business climate and global competitiveness. Not only will the new requirements result in increased costs for Canadian businesses, but they will also act as a barrier for organizations to work with outside partners.

Canadian businesses might have to go back and obtain consent from individuals and will be required to maintain two sets of processes and infrastructures to manage personal information. This will also undoubtedly affect the online consumer experience as consumers will face an increase of pop-ups and consent language each time they interact with a business that transfers personal information for processing purposes.

Meanwhile, our IAB Europe office continues to drive industry adoption of its Transparency and Consent framework (also covered on our call). The TCF tool launched last year and was designed to effectively transfer consent signals through the supply chain to help GDPR-affected platforms comply with the law. As we approach the realities of more stringent privacy law in North America, we continue to stay close to European developments as they may prove useful to us in the future

The OPC has stated that they intend to provide guidance on disclosures for processing and related consent and accountability requirements and welcomes input from interested parties. IAB Canada will be preparing a submission, on behalf of our members. If you are interested in participating in this process please let us know by emailing