Privacy Commissioner of Canada Dismisses complaint RE: personal information transferred to third party

Last updated on August 24, 2020

The Office of the Privacy Commissioner of Canada (“OPC”) recently rendered a decision on a privacy complaint brought against TD Canada Trust where the complainant alleged that the bank had outsourced aspects of its fraud claims processing services to a third-party service provider in India without customers’ consent or offering customers the choice to opt out.  The complaint was held to be unfounded and dismissed.

The OPC found that TD complied with the law and the OPC’s Guidelines For Processing Personal Data Across Borders. In its decision, the OPC reasoned that:

  • the third-party service provider was using TD customers’ information to manage fraud claims for TD, a purpose for which TD had initially collected the information;
  • TD was not required to obtain separate consent for, or to provide customers with the choice to opt out of, the transfer of customers’ personal information to the third-party service provider for that same purpose;
  • TD was appropriately open to current and potential customers about its outsourcing practices in the account opening agreements; and
  • the bank had been accountable for the information it transferred to the third party in question through a strong contract and monitoring approach.

The OPC noted the following two key takeaways from its decision:

  • Organizations transferring personal information to third-party processors should communicate clearly about this transfer to both current and potential customers.
  • Organizations should address privacy risks related to trans-border data flows through contractual and other measures, including compliance monitoring.