Cross Border Data Transfers
In a world of ubiquitous digital communications, data, including personal information, may cross international borders and be held, even temporarily, in diverse international jurisdictions. Concerns arise as to whether the level of protection applied in a foreign jurisdiction is sufficient to meet domestic legislative or non-legislative standards, and also whether or not such protection exists, the legislative regime in the foreign jurisdiction may permit access to such information (e.g. by law enforcement authorities) without consent or even notice to the individuals or other data owners.
Consequently, certain jurisdictions have enacted laws or articulated rules respecting conditions and, in some instances, the prohibition, of data transfer outside of the domestic jurisdiction. Probably the most well-known and earliest example of such a restriction is found in the data transfer rule under the European Union’s General Data Protection Regulation (GDPR), which stipulates that for any personal information transferred outside of an EU country, the recipient jurisdiction must have in place privacy protection legislation equivalent to that existing under the Regulation. The rule was a major factor in Canada’s early adoption of PIPEDA (federal Personal Information Protection and Electronic Documents Act). While the United States has to date not adopted any general privacy law equivalent to the GDPR, the recently negotiated Trans-Atlantic Data Privacy Framework, replacing the previously operative EU-U.S. “Safe Harbor” and “Privacy Shield” regimes seeks to enable organizations to transfer data to the U.S. on the basis of protections equivalent to the rules under the Regulation.
In Canada, the Quebec Private Sector Privacy Act contains a stipulation similar to the EU rule. No other Canadian privacy legislation contains such a rule. However in limited instances statutory rules either prohibit transfer of personal information without consent outside of Canada, or require notice of such transfer to affected individuals. In a large part, the initiative for these rules were the U.S. Patriot Act provisions, adopted following the September 2001 terrorist attacks, that permitted court-ordered law enforcement/national security access to private information without notice. However their relevance took on greater significance in light of the disclosure regarding interception of private e-mail communications by the U.S. National Security Agency.
In British Columbia and Nova Scotia, the public sector access and privacy laws stipulate conditions for government institutions and Crown agents, as well as their service providers, with respect to transferring personal information outside of Canada.
The Alberta Personal Information Protection Act (PIPA) currently is the only private sector privacy regime of general application that contains any statutory requirements for transfer of personal information outside of Canada. Under PIPA, an organization that intends to transfer personal information outside of Canada for processing (i.e. outsourcing) must previously have provided notice to individuals of its policy and procedures addressing such transfer as well as contact information of its representative who can respond to questions regarding such activities. Although not expressly stated, the PIPA provision should be read to require as well notice to such individuals that the organization may make such transfers. To be noted, the PIPA provision applies to cross border outsourcing arrangements but not to simple disclosures of personal information outside of Canada.
The federal private sector privacy law, PIPEDA, contains no rules prohibiting or restricting cross-border data transfers. However the federal Privacy Commissioner has issued guidelines stipulating that notice of such transfers be given to affected individuals. Such notices are recommended to include (i) that their personal information may be transferred to foreign jurisdictions for processing and (ii) that in such jurisdictions their personal information may be accessed by the courts, law enforcement and national security authorities. The Privacy Commissioner’s guidance document also includes recommendations for contract clauses for service provider/outsourcing agreements that contemplate cross border data transfers.
The Ontario Personal Health Information Protection Act, 2004 (PHIPA) does not restrict cross-border transfer of personal information for outsourcing purposes. However it does prohibit the disclosure of personal information to persons outside of Ontario without the affected individuals’ consent.
Organizations entering into outsourcing arrangements that may involve cross-border data transfer need to consider what notice should be given to the affected individuals, where no prior notice exists. In circumstances involving private sector employee personal information, only three provinces have privacy laws with application (Quebec, Alberta, B.C.). As noted above, notice is only required under the Alberta PIPA; however it is recommended that a consistent notice be given to employees in all relevant provinces/territories including those without privacy laws, for cross-country consistency and as a best practice. Such notice should respond to both the Alberta statutory requirement as well as the federal Commissioner’s guidance.