International Data Transfer to Third Countries

PIPEDA is silent with respect to transfers of personal information to jurisdictions outside of Canada. However, as noted above, the accountability principle in the PIPEDA makes organizations responsible for personal information in their control, even when transferred to a third party for processing.  When transferring personal information to a third-party processor, an organization is required to use contractual and other means to provide a comparable level of protection while the information is being processed by a third party.

This principle applies equally to foreign data transfers as it does to transfers within Canada. In the case of foreign transfers, an outsourcing organization would be required to consider the legal and political regimes in the destination country to assess its ability to ensure a comparable level of protection.

 

The Office of the Privacy Commissioner of Canada has made several findings and issued guidance related to cross-border transfers of personal information, including:

  • PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing, but the other requirements of the Act must be respected.
  • A transfer for processing is a “use” of the information, not a disclosure. Accordingly, if the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
  • While consent, per se, is not required, Individuals must be advised, in clear and understandable language, that their information may be processed in a foreign country, where it may be accessible to law enforcement and national security authorities in that jurisdiction.
  • PIPEDA does not contain the concept of binding corporate rules; however, if an organization is transferring data to another entity that belongs to the same corporate group, the transfer is still subject to the accountability principle, and to the requirement that personal information should be shared with/accessible to only those who legitimately require the information in order to fulfil the purposes for which it was collected.
  • The concept of “onward data transfers” is also not explicitly included in PIPEDA but would be subject to the same notice requirements as set out above. In order to manage risk and meet the notice requirements of the Act, onward data transfers should be addressed in an organization’s contracts with third-party data processors, including subcontracting arrangements that may involve onward transfers of data.

 

The Office of the Privacy Commissioner of Canada has issued Guidelines for Processing Personal Data Across Borders:

Please visit: https://www.priv.gc.ca/en/privacy-topics/personal-information-transferred-across-borders/gl_dab_090127/

 

Alberta’s private sector privacy law, the Personal Information Protection Act, explicitly requires organizations to notify affected individuals of any transfers of their personal information to a service provider outside Canada, These policies and practices must include information respecting the countries outside Canada to which personal information may be transferred and the purposes for which service providers outside Canada have been permitted to process personal information.

Organizations must notify affected individuals as to how they may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and provide contact information to a person who can answer questions about these policies and practices.