An Explainer on Cross Border Personal Data Transfers: Helpful Measures for Businesses

Author: Marsha Simone Cadogan | MSC Intellectual Property & Technology Law (MSC IPTL)

Your personal information is important – it likely includes private and confidential data that should not be widely known or shared with others. In recent years, data breaches have become more common, compromising consumers’ privacy and affecting businesses’ credibility. We share an enormous amount of data every day. We live in a world where data is generated, shared, analyzed, and disclosed in various formats (and for various purposes). In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal information by private sectors. There are laws like the Personal Health Information Protection Act, which imposes a fiduciary duty on health care institutions and providers to protect personal information in their possession.

PIPEDA applies to information about natural persons, some of which may be sensitive. This information includes financial data such as credit score details and loan records, health records and personal attributes data such as age, IDs, blood type and ethnic origin. With the use of more digital solutions in businesses’ day-to-day operations, instances of businesses acquiring, using, and disclosing data will become more commonplace. Businesses that transact with private sector entities in other countries and share their clients’ personal data in doing so, have a responsibility to ensure that measures are in place to safeguard the data.

The receiving party may also have an obligation (contractual) to protect Canadian data that is in their possession. It is the Canadian data controller’s responsibility to ensure that the foreign entity protects the data and uses it for the stated purposes as outlined in a well-drafted contract. Both the digital trade/e-commerce chapters of the Canada-United States-Mexico Agreement (CUSMA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership Agreement (CPTPP) include provisions on how the personal information of natural persons should be treated in contracting parties’ jurisdiction. CUSMA’s language and outlook on cross border personal data transfers is the same as that which is in the CPTPP. On its own, this is not significant issue. In practice, this means that at least eleven countries (parties to the CPTPP and CUSMA) eventually will have a similar approach to how personal data is collected, used, and disclosed within and between countries. In Canada, PIPEDA and the OPC’s Guidelines for Processing Personal Data across Borders provide guidance on how data transfer is handled across borders.

The European Union’s (EU) General Data Protection Regulation (GDPR) offers the most comprehensive protection of personal data. It is focused on European citizens and residents. However, the GDPR applies to Canadian companies that do business with citizens and residents of the EU. Therefore, Canadian businesses that serve EU clients should have implemented GDPR compliant measures as part of their data governance strategy. At the same time, Canadian companies’ data policy measures should meet the lower compliance requirements of PIPEDA. The PIPEDA however, is out of date with the realities of our digital economy. With increasing data flows within and across organizations, most consumers are wary of how, on what terms and how much of their data is disclosed in most situations. These are not adequately addressed in PIPEDA. For example, a consumer would want to be informed if their credit score, age, and ethnicity is transferred to a company based in Japan who uses the data to develop and test a financial-based app for the Canadian company. The company may assert that it has consent to disclose the information as it is within the general purposes of the type of business transactions that the customer expects the company to do on its behalf. A company whose business it is to provide loans does not have the right to use the personal information for ancillary purposes without the consent of the individual. This is not clearly specified in PIPEDA. With Bill C-11 off the legislative table, data privacy overhaul will still be a significant step towards dealing with the realities posed by a data-driven economy.

Three Helpful Measures for Businesses Involved in Cross Border Personal Data Transfers

Implement internal policies on data security, access and management that are in line with federal and provincial laws on the collection, use and disclosure of personal information

Ensure that contracts clearly lay out the terms and conditions under which personal data is transferred. These should be based on PIPEDA, OPC’s Guidelines for Processing Personal Data across Borders and any other law that protects the security and confidentiality of a client’s personal data – and be context specific. A one size fits all approach will likely not work.

Inform individuals that their data is being transferred cross-borders. Notification should happen prior to transfer and should be stated in the businesses’ privacy policy. Any significant changes in business operations that affect how personal data is disclosed should be addressed in company manuals, privacy policies, and may need to be directly communicated to customers. A business should also assess for what purpose personal data is being transferred to third party service providers. If the transfer is for the same purpose as the reason why the data was collected for in the first place, additional consent from the customer is not required.

Cyber attacks are now more frequent than before. These attacks give hackers access to large amounts of data, some of which are sensitive in nature. Taking a proactive approach to data privacy in cross border data transfers help to secure the privacy of clients and business’ stability.

In the News – Marsha Simone Cadogan

Dealing with ADR Clauses in Technology Contracts: Best Practices – Marsha chaired LES – USA & Canada’s High tech sector webinar on May 17th 2023.

Read Marsha’s CIGI paper, “Enforcing Smart Legal Contracts: Prospects and Challenges” here. Watch the explainer video here.

Marsha chaired LES- U.S.A & Canada, High tech sector startups virtual lunch and learn on Developments in Digital Technology Trends in 2022 that Impact Startups (Dec. 13th, 2022).

Marsha Simone was a Speaker at CISDL’s Biodiversity Law & Governance Day- COP 15 on Dec. 10, 2022. (IP considerations in ABS agreements)

Marsha Simone Cadogan spoke about the challenges of GI designations in Canada’s export market at the 6th Annual Canadian Association For Food Law and Policy Conference.

Marsha Simone Cadogan was awarded a Platinum Jubilee Award for her significant contribution to the Richmond Hill Community, October 23, 2022.

Marsha Simone Cadogan’s CIGI’s opinion piece: Cryptocurrency in Wartime: Can the Unregulated by Regulated? published April 28th 2022. Read here

January 26th: Semi-conductor Licensing, All You Need to Know – Licensing Executives Society, U.SA. and Canada, High Tech sector webinar

The Licensing Executives Society – United States and Canada, 5 minute licensing update podcast episode featured Marsha S. Cadogan talking about trade secrets

Marsha spoke on NFTs and Copyright Law – National and International Law Dimensions on August 6th at MSC IPTL summer workshop series.

Practical Tips in Drafting ADR clauses in Licensing Agreements, Licensing Executives Society, U.S.A & Canada, High Tech Sector startups, chaired by Marsha on August 10th. For more information see.

Domain Names and ADR webinar – Intellectual Property Institute of Canada (July 27th), moderated by Marsha. For more info see here.

Intellectual Property and Licensing Developments in Green High Technologies with World Intellectual Property Organization (WIPO Green) webinar – July 7th Licensing Executives Society – USA & Canada webinar, Moderated by Marsha S. Cadogan

Marsha spoke about Canada’s new trade secret legislation in the context of food and beverage industries at the 5th Annual Canadian Association For Food Law & Policy Conference on May 12, 2021 (http://foodlaw.ca/conference-recordings-2021).

Marsha chaired the Licensing Executives Society – U.S.A & Canada High Technology Sector startups webinar on “Putting Innovation and Monetization Together: Challenges & Strategies for High technology startups” (April 20th).

Marsha S. Cadogan chaired the Licensing Executives Society – U.S & Canada High Technology Sector startups webinar on Trade Secret Licensing: Reasonable Efforts and Potential Pitfalls, April 07, 2021

Enterprise League quoted Marsha Cadogan in their article on “Bad branding: 16 Critical Branding Mistakes and How to Avoid them” (Feb 26, 2021)

Marsha Cadogan spoke on the prospects of leveraging food based geographical indications in Atlantic Canada: EU-Canada Webinar Series, January 20, 2021.

Marsha’s article about the Basmati rice, India-Pakistan geographical indication dispute is featured in The Lawyers Daily, December 18th, 2020.

Marsha moderated the Licensing Executives Society – United States and Canada High technology sector webinar on “The Changing COVID-19 IP Landscape and Challenges and Opportunities for International Licensing’” on Nov. 16. 2020.

Marsha spoke on international intellectual property law and the COVID-19 pandemic at the American Branch of the International Law Association’s (ABILA) International Law Weekend (October 22)

Marsha moderated the Licensing Executives Society webinar on Patent Pledges, (Sept.28)

Marsha moderated the Licensing Executives Society’s webinar on Promoting Innovation in High technology Start ups: Challenges, Strategies and Opportunities. (Aug.10th)

The Lawyers Daily (July 27th): Implications of International Treaty on Geographical Indications (Marsha S. Cadogan, author).

The Lawyers Daily (Aug. 4th): Canada’s Food and Beverage Industries and Geographical Indications (Marsha S. Cadogan, author)

Marsha recently spoke on IP and innovation in the context of the SDGs at CISDL’s International Law Symposium – May 15 2020 (Panel: Structuring Rights-Based Trade, Investment & Financial Rules for Economic Recovery – SDGs 9, 10 & 11)

How does blockchain technologies impact your food based geographical indications rights ?See Marsha S. Cadogan journal article in the Canadian Intellectual Property Review

What Does CUSMA mean for IP rights in Canada? See IPIC’s Voices on Canadian Intellectual Property, Pocket IP Guide to CUSMA – the new NAFTA (Written by four IP professionals, including Marsha S. Cadogan)