CROSS-BORDER DATA TRANSFERS
A three-part series from KI Design:
When personal information (PI) is moved across federal or provincial boundaries in the course of commercial activity, it’s considered a cross-border data transfer.
Transferring data brings risk. As well as increasing the dangers of unauthorized access and use, it raises legal complications: the data will become subject to the laws of the country to which it’s being transferred. Your company will need to take legal advice to make sure you’re aware of what laws are applicable, and what that may mean in terms of compliance.
Remember: Once the data is transferred, your organization will continue to have the same legal obligations to data subjects. Even when the PI is in a different jurisdiction, privacy requirements laid down by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), such as obtaining a data subject’s consent for sharing their data, are still in play.
If your organization chooses to transfer PI to a company outside Canada, you’ll need to notify any affected individuals, ideally at the time of data collection. Depending on the type of information involved, these individuals may be customers or employees. The notice must make it clear to the data subject that their personal information may be processed by a foreign company, and thus become subject to foreign laws. Data subjects should be advised that foreign legislation (such as the USA PATRIOT Act) might grant that country’s courts, law enforcement, or national security authorities the power to access their PI without their knowledge or consent.
Once an individual has consented to the terms and purposes of data collection, they don’t then have the right to refuse to have their information transferred, as long as the transfer is in accordance with the original intended purpose of collection.
Legal Requirements: Data Outsourcing across Jurisdictions
CANADA: PIPEDA regulates all personal data that flows across national borders in the course of private sector commercial transactions, regardless of other applicable provincial privacy laws.[i]
Outsourcing personal data processing activities is allowed under PIPEDA, but all reasonable steps must be taken to protect the data while it is abroad.
Because of the high standards PIPEDA sets for protecting Canadians’ personal information, the privacy risks of sharing data with non-EU-based foreign companies are greater than if your company were sharing data with a Canadian organization.
When personal information is transferred internationally, it also becomes subject to the laws of the new jurisdiction. These cannot be bypassed by contractual terms asserting protection from data surveillance. Foreign jurisdiction laws cannot be overridden.
US privacy law is constantly evolving, through a series of individual cases and a patchwork of federal and state laws. This piecemeal approach to privacy regulation makes it challenging to evaluate privacy compliance.
For Canadian organizations using US-based data processing services, the differences between Canadian and US privacy models raise valid concerns about enforcement. Canadians do not have access to Federal Trade Commission complaint processes (unless a US consumer law has been broken). Despite signing contracts that include privacy provisions, Canadian organizations rarely have the resources to pursue litigation against major US Internet companies. In practical terms, this means that US companies may not be legally accountable to Canadian clients.
Recent US data surveillance laws make Canadian PI held by US companies even more vulnerable. Several provinces have passed legislation prohibiting public bodies, such as healthcare and educational institutions, from storing personal information outside Canada. Alberta’s Personal Information Protection Act creates statutory requirements regarding private sector outsourcing of data. The Act requires that organizations transferring PI across Canadian borders for processing (rather than a simple transfer of PI) must have given affected individuals prior notice of the transfer, as well as the opportunity to contact an informed company representative with any questions. It also imposes a mandatory data breach reporting obligation. BC’s Personal Information Protection Act contains similar requirements. Quebec’s stricter private-sector privacy law restricts the transfer of data outside the province.[ii]
“Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.”
– Office of the Privacy Commissioner
Sector-specific Canadian operations may face additional legal requirements. Outsourcing the processing of health information will be regulated by the various provincial health information laws, for example. While the Ontario Personal Health Information Protection Act doesn’t limit cross-border PI transfers, it does prohibit the disclosure of PI to persons outside Ontario without the consent of affected individuals.
UNITED STATES: The USA PATRIOT Act declares that all information collected by US companies or stored in the US is subject to US government surveillance. Foreign data subjects have little recourse to protect the privacy of their personal information held by US multinational corporations, which include most cloud computing service providers.
EUROPE: The European approach to data sharing across jurisdictions is based on territory: foreign companies must comply with the laws of the countries in which their customers reside.
The EU’s General Data Protection Regulation (GDPR) generally prohibits the transfer of personal information to recipients outside the EU unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.[iii]
For foreign companies to operate in Europe, national regulators in each jurisdiction within the EU will have to assess the legal compliance of company codes of conduct. These will have to contain satisfactory Privacy Principles (e.g., transparency, data quality, security) and effective implementation tools (e.g., auditing, training, complaints management), and demonstrate that they are binding. Codes of conduct must apply to all parties involved in the business of the data controller or the data processor, including employees, and all parties must ensure compliance. (For instance, under the GDPR, cloud computing service providers will almost certainly have to locate servers outside the US to protect data from American surveillance privacy violations.)
Canada is currently deemed an “adequate” jurisdiction by the EU because of the privacy protections provided by PIPEDA (although be aware that adequacy decisions are reviewed every four years, and so that may change). Your company will still need to make sure that data transfer protocols follow the GDPR’s requirements, which are stricter than those mandated by PIPEDA. Consent is something you’ll need to pay particular attention to. The GDPR does not allow an opt-out option; consent to data processing must be informed and specific.
Given the scale of financial penalties under the GDPR, it’s best to consult legal counsel to ensure that you have dotted your i’s and crossed your t’s.
Regulating Data Sharing between Organizations: A Cross-border Analysis
EU and North American laws around data sharing reflect very different understandings of responsibility for protecting privacy. At first glance, US and Canadian laws mandate that personal data shared with a third party be bound by a policy, the provisions of which ought to be equally or more stringent than the terms to which data subjects agreed when they initially released their personal information. However, these North American privacy laws only hold accountable the primary service provider that first collected the data; privacy breaches by data recipients are considered to be violations of contractual obligations, but not violations of privacy rights.
The European Union’s General Data Protection Regulation, in contrast, adopts a shared responsibility model for data sharing; both service providers (in this context, data collectors) and subcontractors (data processors or other third-party vendors) are responsible for enforcing privacy provisions. Data collectors are not permitted to share personal data with a third party unless it is possible to guarantee the enforcement of equal or stronger privacy provisions than those found in the original agreements with data subjects. This shared responsibility model reflects greater privacy maturity, by shifting from an exclusive focus on adequate policy and contracts to ensuring effective implementation through monitoring and governance of all data holders.
For further information on data transfers, and privacy compliance matters generally, see the book of Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.
A three-part series from KI Design:
- Part I: Data Outsourcing
- Part II: Cross-border Data Transfers
- Part III: Preparing for Data Transfer – Clauses for Vendor Contracts
[i] For further information, see Office of the Privacy Commissioner, “Businesses and Your Personal Information,” online at: https://www.priv.gc.ca/en/privacy-topics/your-privacy-rights/businesses-and-your-personal-information/.
[ii] For further information, see George Waggott, Michael Reid, & Mitch Koczerginski, “Cloud Computing: Privacy and Other Risks,” McMillan LLP, December 2013, online: https://mcmillan.ca/insights/cloud-computing/
[iii] For further information, see the analysis by Dr. Detlev Gabel & Tim Hickman in Unlocking the EU General Data Protection Regulation: A Practical Handbook on the EU’s New Data Protection Law, Chapter 13, White & Case website, 22 Jul 2016, online at: https://www.whitecase.com/publications/article/chapter-13-cross-border-data-transfers-unlocking-eu-general-data-protection.