Guidelines for processing personal data across borders: liability for transferring organizations

In response to the growing concerns of illicit use of personal information and corresponding adverse consequences such as identity theft, financial disclosures and private health information revelation, the Office of Privacy Commissioner of Canada (OPC) released a document entitled “Guidelines for Processing Personal Data Across Borders” on January 27, 2009. This document provides guidelines explaining how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to a third party, including a third party operating outside of Canada, for processing. As a reminder, there are two federal privacy laws in Canada – the Privacy Act and PIPEDA. Both are aimed at regulating the collection, use and disclosure of personal information. However, the Privacy Act is directed at federal departments and agencies, and is authority-based, requiring the existence of legal authority to collect, use or disclose information. PIPEDA, on the other hand, is aimed at Canadian private sector organizations and is consent-based, requiring the consent to collect, use or disclose information.

The pith and substance of PIPEDA can be best characterized as “An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances”. Principle 1 of the PIPEDA states:

“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”

For clarification purposes, the guidelines clarify the meanings of the terms: “transfer”, “processing” and “comparative level of protection”. “Transfer”, unlike disclosure, is intended to make the document available only for the use for which the information was collected. Similarly, “processing” is interpreted as the use of the document for the purpose for which the transferring organization can use it. Lastly, “comparable level of protection” means that the third party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred.

There are different approaches to protecting personal information that is being transferred for processing. European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers “adequate” protection for personal information. In contrast, Canada does not provide for any authoritative body to make the final call on whether an organization is well-equipped to provide a comparable protection. Instead, OPC recommends that organizations should pre-contract and take all reasonable steps before exchanging the personal information. There is also an underlying emphasis on the consideration that should be given to the third party jurisdictions’ legal requirements, and the “potential foreign political, economic and social conditions” that may reduce their ability to provide the service. 

The Canadian approach rightly holds that the final decision on whether to transfer personal information lies with the host organization itself. With the increase in the outsourcing of processes to third parties, it is only fair that the organizations undergoing potential cost savings and making profits also bear the burden associated with personal information misuse. The guidelines also emphasize the need of transparency towards the customers, such as their access to the organization’s personal information handling practices. Such a possibility creates a strong incentive for these organizations to be extra careful and to make a conscious and well-informed decision about the transferring of personal information. Overall, Principle 1 of PIPEDA provides for a balancing provision between the protection of personal information of individuals and the business necessity of transferring information. Therefore, it appears that the current approach adopted by Canada is an efficient way to achieve a safe and favourable personal data transfer.