In April 2019, the OPC found in PIPEDA`s #2019-001 report, in a diametric reversal of the OPC`s previous political position, that an organization was required to obtain additional consent from individuals before transferring its personal data to a third-party provider across national or national borders. The OPC`s new position, which has raised potentially significant compliance problems for organizations that outsource to third parties, has been widely criticized for its impracticality. Once the OPC has completed its investigation and issued a report, either the OPC or the complainant can apply to the Federal Court to seek enforcement and/or compensation under PIPEDA. It is also possible to impose a fine for non-compliance with certain provisions of PIPEDA. The OPC then responded to the question of whether FI had been transparent about its use of the third party. The OPC found that the data protection agreement and THE FI privacy code stipulated that FI could transfer personal data to third parties, and THE IF Privacy Highlights website also found that these service providers could reside in other jurisdictions. In addition, FI provided this information to each of its customers in a timely manner when each customer applied for an FI product. The OPC found that FI had voluntarily provided „eminent, clear and understandable information“ about its outsourcing practices and kept the IF sufficiently open about its outsourcing practices. The OPC first considered whether FI was required to obtain additional consent to pass on its customers` personal data to a third party in India. The OPC referred to its 2019 guidelines, which explain that the service provider can only use personal data for the purposes for which personal data was originally collected, when an organization transfers personal data to a third-party provider. When the service provider uses personal data for other purposes, the organization must obtain additional consent to transfer this personal data to the service provider.
The OPC verified FI`s account agreement, confidentiality agreement and privacy code and found that each document stipulated that FI could use its customers` personal data, among other things, to protect them from fraud. Therefore, since the third-party provider used the personal data of FI customers for the same purpose as the one for which FI collected the personal data, it was not necessary to give additional consent. The Competition Bureau announced that it had reached an approval agreement with Facebook to regulate an investigation into the company`s privacy rules for users between 2012 and 2018. As part of the transaction, Facebook agreed to pay $9 million plus $500,000 $US in fees, a significant fine in Canada. The approval agreement with the Bureau follows a much heavier $5 billion penalty $US, applied by the United States on Facebook.