The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
PIPEDA provides that
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
Would you have a recommendation for the approach to use when protecting information between organizations on transfers to third parties? Should the other organization simply agree to comply with PIPEDA, or should you specifically list and have the other organization acknowledge the obligations described in Schedule 1?
Thanks for your question, Michael.
The approach that I recommend is to enter agreements with third parties that (like other comprehensive business contracts) specifically list the rights and responsibilities of the parties. In my view, simply stating in the agreement that the other organization agrees to comply with PIPEDA is insufficient. Greater detail in the agreement, however, will help to mitigate problems arising in the future and, in my view, is required to meet the letter and spirit of the law. The types of terms will, to some extent, often match the obligations described in Schedule 1 to PIPEDA, but should (for business reasons as well as legal) go much further. For example, many of these types of agreements contain privacy auditing rights and spell out the process for dealing with consents and withdrawals of consent. A company’s personal information holdings is one of its most valuable assets so undertaking this type of due diligence is worth it!