An Explainer on Cross Border Personal Data Transfers: Helpful Measures for Businesses

Author: Marsha Simone Cadogan, Barrister & Solicitor.

Your personal information is important – it likely includes private and confidential data that should not be widely known or shared with others. Data breaches have become more common in recent years, compromising consumers’ privacy and affecting businesses’ credibility. We share an enormous amount of data every day. We live in a world where data is generated, shared, analyzed, and disclosed in various formats (and for various purposes). In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the private sector’s collection, use, and disclosure of personal information. There are laws like the Personal Health Information Protection Act, which imposes a fiduciary duty on healthcare institutions and providers to protect personal information in their possession.

PIPEDA applies to information about natural persons, some of which may be sensitive. This information includes financial data such as credit score details and loan records, health records and personal attributes data such as age, ID, blood type and ethnic origin. With more digital solutions in businesses’ day-to-day operations, businesses acquiring, using, and disclosing data will become more commonplace. Businesses that transact with private sector entities in other countries and share their clients’ data are responsible for ensuring that measures are in place to safeguard the data.

The receiving party may also have an obligation (contractual) to protect Canadian data that is in their possession. The Canadian data controller’s responsible for ensuring that the foreign entity protects the data and uses it for the stated purposes outlined in a well-drafted contract. The digital trade/e-commerce chapters of the Canada-United States-Mexico Agreement (CUSMA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership Agreement (CPTPP) include provisions on how the personal information of natural persons should be treated in the contracting parties’ jurisdiction. CUSMA’s language and outlook on cross-border personal data transfers are the same as in the CPTPP. On its own, this is not a significant issue. This means that at least eleven countries (parties to the CPTPP and CUSMA) will eventually have a similar approach to how personal data is collected, used, and disclosed within and between countries. In Canada, PIPEDA and the OPC’s Guidelines for Processing Personal Data across Borders guide how data transfer is handled across borders.

The European Union’s (EU) General Data Protection Regulation (GDPR) offers the most comprehensive personal data protection. It is focused on European citizens and residents. However, the GDPR applies to Canadian companies that do business with citizens and residents of the EU. Therefore, Canadian businesses that serve EU clients should have implemented GDPR-compliant measures as part of their data governance strategy. At the same time, Canadian companies’ data policy measures should meet the lower compliance requirements of PIPEDA. The PIPEDA, however, is out of date with the realities of our digital economy. With increasing data flows within and across organizations, most consumers are wary of how on what terms and how much of their data is disclosed in most situations. These are not adequately addressed in PIPEDA. For example, a consumer would want to be informed if their credit score, age, and ethnicity are transferred to a company based in Japan that uses the data to develop and test a financial-based app for a Canadian company. The company may assert that it has consent to disclose the information as it is within the general purposes of the type of business transactions the customer expects the company to do on its behalf. A company that provides loans does not have the right to use personal information for ancillary purposes without the individual’s consent. This is not specified in PIPEDA. With Bill C-11 off the legislative table, data privacy overhaul will still be a significant step towards dealing with the realities of a data-driven economy.

Three Helpful Measures for Businesses Involved in Cross-Border Personal Data Transfers:

• Implement internal policies on data security, access and management that are in line with federal and provincial laws on the collection, use and disclosure of personal information;

• Ensure that contracts outline the terms and conditions for transferring personal data. These should be based on PIPEDA, OPC’s Guidelines for Processing Personal Data across Borders and any other law that protects the security and confidentiality of a client’s data – and be context specific. A one size fits all approach will likely not work;

• Inform individuals that their data is being transferred cross-borders. Notification should happen before transfer and should be stated in the business’s privacy policy. Any significant changes in business operations that affect how personal data is disclosed should be addressed in company manuals and privacy policies and may need to be directly communicated to customers. A business should also assess for what purpose personal data is transferred to third-party service providers. If the transfer is for the same purpose as the reason why the data was collected in the first place, additional consent from the customer is not required.

Cyber attacks are now more frequent than before. These attacks give hackers access to large amounts of data, some of which are sensitive. Taking a proactive approach to data privacy in cross-border data transfers helps secure clients’ privacy and business stability.

This article is for general information only and is not intended as legal advise.