An Explainer on Cross Border Personal Data Transfers: Helpful Measures for Businesses

An Explainer on Cross Border Personal Data Transfers: Helpful Measures for Businesses

Author: Marsha Simone Cadogan | MSC Intellectual Property & Technology Law (MSC IPTL)

Your personal information is important – it likely includes private and confidential data that should not be widely known or shared with others. In recent years, data breaches have become more common, compromising consumers’ privacy and affecting businesses’ credibility. We share an enormous amount of data every day. We live in a world where data is generated, shared, analyzed, and disclosed in various formats (and for various purposes). In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal information by private sectors. There are laws like the Personal Health Information Protection Act, which imposes a fiduciary duty on health care institutions and providers to protect personal information in their possession.

PIPEDA applies to information about natural persons, some of which may be sensitive. This information includes financial data such as credit score details and loan records, health records and personal attributes data such as age, IDs, blood type and ethnic origin. With the use of more digital solutions in businesses’ day-to-day operations, instances of businesses acquiring, using, and disclosing data will become more commonplace. Businesses that transact with private sector entities in other countries and share their clients’ personal data in doing so, have a responsibility to ensure that measures are in place to safeguard the data.

The receiving party may also have an obligation (contractual) to protect Canadian data that is in their possession. It is the Canadian data controller’s responsibility to ensure that the foreign entity protects the data and uses it for the stated purposes as outlined in a well-drafted contract. Both the digital trade/e-commerce chapters of the Canada-United States-Mexico Agreement (CUSMA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership Agreement (CPTPP) include provisions on how the personal information of natural persons should be treated in contracting parties’ jurisdiction. CUSMA’s language and outlook on cross border personal data transfers is the same as that which is in the CPTPP. On its own, this is not significant issue. In practice, this means that at least eleven countries (parties to the CPTPP and CUSMA) eventually will have a similar approach to how personal data is collected, used, and disclosed within and between countries. In Canada, PIPEDA and the OPC’s Guidelines for Processing Personal Data across Borders provide guidance on how data transfer is handled across borders.

The European Union’s (EU) General Data Protection Regulation (GDPR) offers the most comprehensive protection of personal data. It is focused on European citizens and residents. However, the GDPR applies to Canadian companies that do business with citizens and residents of the EU. Therefore, Canadian businesses that serve EU clients should have implemented GDPR compliant measures as part of their data governance strategy. At the same time, Canadian companies’ data policy measures should meet the lower compliance requirements of PIPEDA. The PIPEDA however, is out of date with the realities of our digital economy. With increasing data flows within and across organizations, most consumers are wary of how, on what terms and how much of their data is disclosed in most situations. These are not adequately addressed in PIPEDA. For example, a consumer would want to be informed if their credit score, age, and ethnicity is transferred to a company based in Japan who uses the data to develop and test a financial-based app for the Canadian company. The company may assert that it has consent to disclose the information as it is within the general purposes of the type of business transactions that the customer expects the company to do on its behalf. A company whose business it is to provide loans does not have the right to use the personal information for ancillary purposes without the consent of the individual. This is not clearly specified in PIPEDA. With Bill C-11 off the legislative table, data privacy overhaul will still be a significant step towards dealing with the realities posed by a data-driven economy.

Three Helpful Measures for Businesses Involved in Cross Border Personal Data Transfers

  • Implement internal policies on data security, access and management that are in line with federal and provincial laws on the collection, use and disclosure of personal information
  • Ensure that contracts clearly lay out the terms and conditions under which personal data is transferred. These should be based on PIPEDA, OPC’s Guidelines for Processing Personal Data across Borders and any other law that protects the security and confidentiality of a client’s personal data – and be context specific. A one size fits all approach will likely not work.
  • Inform individuals that their data is being transferred cross-borders. Notification should happen prior to transfer and should be stated in the businesses’ privacy policy. Any significant changes in business operations that affect how personal data is disclosed should be addressed in company manuals, privacy policies, and may need to be directly communicated to customers. A business should also assess for what purpose personal data is being transferred to third party service providers. If the transfer is for the same purpose as the reason why the data was collected for in the first place, additional consent from the customer is not required.

Cyber attacks are now more frequent than before. These attacks give hackers access to large amounts of data, some of which are sensitive in nature. Taking a proactive approach to data privacy in cross border data transfers help to secure the privacy of clients and business’ stability.