Memorandum of Understanding (United Kingdom)
BETWEEN
THE PRIVACY COMMISSIONER OF CANADA AND THE INFORMATION COMMISSIONER OF THE UNITED KINGDOM
ON
MUTUAL ASSISTANCE IN THE ENFORCEMENT AND APPLICATION OF LAWS PROTECTING PERSONAL INFORMATION IN THE PRIVATE SECTOR
The Privacy Commissioner of Canada (“Canadian Commissioner”) and the Information Commissioner of the United Kingdom (“UK Commissioner”) (“the Participants”):
RECOGNISING the nature of the modern global economy, the increase in circulation and exchange of personal information across borders, the increasing complexity of information technologies, and the resulting need for increased cross-border enforcement cooperation.
RECOGNISING that both the OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy and the APEC Privacy Framework call on member countries and economies to develop cross-border information sharing mechanisms and bilateral or multilateral enforcement cooperation arrangements;
RECOGNISING that s. 23.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) authorizes the Canadian Commissioner to share information with authorities from other countries that have responsibilities relating to the protection of personal information in the private sector;
RECOGNISING that the UK Commissioner is a corporation sole appointed by Her Majesty the Queen under the Data Protection Act 2018 (the “DPA”) to act as the UK’s independent regulator to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.
RECOGNISING that the Participants each have functions and duties with respect to the protection of personal information in the private sector in their respective countries; and
RECOGNISING that nothing in this Memorandum requires the Participants to provide assistance in the enforcement of laws protecting personal information in the private sector if such assistance is prohibited by their respective national laws or enforcement policies.
HAVE REACHED THE FOLLOWING UNDERSTANDING:
- Definitions
For the purposes of this Memorandum,
- “Applicable Privacy Laws” means the laws and regulations of the Participant’s country the enforcement of which have the effect of protecting personal information. In the case of the Canadian Commissioner, “Applicable Privacy Law” means Part 1 of the PIPEDA and, in the case of the UK Commissioner, it means the DPA, General Data Protection Regulation and any subsequent applicable privacy laws enacted in the UK; as well as any amendments to the Participants’ Applicable Privacy Laws, and such other laws or regulations as the Participants may from time to time jointly decide in writing to be an Applicable Privacy Law for purposes of this Memorandum.
- “Person” means any natural person or legal entity, including any corporation, unincorporated association, or partnership.
- “Request” means a request for assistance under this Memorandum.
- “Requested Participant” means the Participant from which assistance is sought under this Memorandum, or which has provided such assistance.
- “Requesting Participant” means the Participant seeking or receiving assistance under this Memorandum.
- “Covered Privacy Contravention” means conduct that would be in contravention of the Applicable Privacy Laws of one Participant’s country and that is the same or substantially similar to conduct that would be in contravention of the Applicable Privacy Laws of the other Participant’s country.
- Objectives and scope
- The Participants acknowledge that it is in their common interest to collaborate in accordance with this Memorandum, in order to:
- Ensure that the Participants are able to deliver the regulatory cooperation necessary to protect the fundamental rights of citizens of the United Kingdom and Canada respectively, in accordance with the Applicable Privacy Laws of the Participants’ respective jurisdictions;
- Cooperate with respect to the enforcement of their respective Applicable Privacy Laws;
- Keep each other informed of developments in their respective countries having a bearing on this Memorandum; and
- Recognise parallel or joint investigations or enforcement actions by the Participants as priority issues for co-operation.
- For this purpose, the Participants may jointly identify one or more areas or initiatives for cooperation. Such cooperation may include:
- sharing of experiences and exchange of best practices on privacy and data protection policies, education and training programmes;
- implementation of joint research projects;
- exchange of information (excluding personal information) involving potential or on-going investigations in relation to a Covered Privacy Contravention;
- joint investigations into cross border matters involving both jurisdictions (excluding sharing of personal information);
- convening bilateral meetings annually or as mutually decided between the Participants; and
- any other areas of cooperation as mutually decided by the Participants.
- This Memorandum does not impose on either Participant any obligation to co-operate with each other or to share any information. Where a Participant chooses to exercise its discretion to co-operate or to share information, it may limit or impose conditions on that request. This includes where (i) it is outside the scope of this Memorandum, or (ii) compliance with the request would breach the Participant’s legal responsibilities.
- The Participants acknowledge that it is in their common interest to collaborate in accordance with this Memorandum, in order to:
- Procedures Relating to Mutual Assistance
- Each Participant will designate a primary contact for the purposes of requests for assistance and other communications under this Memorandum.
- In requesting assistance in procedural, investigative and other matters involved in the enforcement of Applicable Privacy Laws across borders, Participants will ensure that:
- requests for assistance include sufficient information to enable the Requested Participant to determine whether a request relates to a Covered Privacy Contravention and to take action in appropriate circumstances. Such information may include a description of the facts underlying the request and the type of assistance sought, as well as an indication of any special precautions that should be taken in the course of fulfilling the request;
- requests for assistance specify the purpose for which the information requested will be used; and
- prior to requesting assistance, Participants perform a preliminary inquiry to ensure that the request is consistent with the scope of this Memorandum and does not impose an excessive burden on the Requested Participant.
- Participants intend to communicate and cooperate with each other, as appropriate, about matters that may assist ongoing investigations.
- The Participants will notify each other without delay, if they become aware that information shared under this Memorandum is not accurate, complete, and up-to-date.
- Subject to Section IV, Participants may, as appropriate and subject to their Applicable Privacy Laws, refer complaints to each other, or provide each other notice of possible Covered Privacy Contraventions of the Applicable Privacy Laws of the other Participant’s country.
- Participants will use their best efforts to resolve any disagreements related to co-operation that may arise under this Memorandum through the contacts designated under Section III. A, and, failing resolution in a reasonably timely manner, by discussion between the heads of the Participants.
- Limitations on Assistance and Use
- The Requested Participant may exercise its discretion to decline a request for assistance, or limit or condition its cooperation, in particular where it is outside the scope of this Memorandum, or more generally where it would be inconsistent with domestic laws, or important interests or priorities. The Requesting Participant may request the reasons for which the Requested Participant declined or limited assistance.
- The Canadian Commissioner will not share confidential information unless
- it is for the purpose set out in Section II.B.1; or
- it is necessary for making a request for assistance from the other Participant regarding information that may be useful to an ongoing or potential investigation or audit under Part 1 of PIPEDA.
- Participants will not use any information obtained from the Requested Participant for purposes other than those for which the information was originally shared.
- No Sharing of Personal Information
- The Participants do not intend that this Memorandum shall cover any sharing of personal information by the Participants.
- If the Participants wish to share personal information, for example in relation to any cross border matters involving both jurisdictions, each Participant shall consider compliance with its own Applicable Privacy Laws, which may require the Participants to enter into a written agreement or arrangement regarding the sharing of such personal information.
- Confidentiality
- Information shared under this Memorandum is to be treated as confidential and will not be further disclosed without the consent of the other Participant.
- Where confidential material is shared between the Participants it will be marked with the appropriate security classification.
- The Participants will oppose, to the fullest extent possible consistent with their countries’ laws, any application by a third party for disclosure of confidential information or materials received from Requested Participants, unless the Requested Participant consents to its release. The Participant who receives such an application will notify forthwith the Participant that provided it with the confidential information.
- Security and Data Breach Reporting
- Appropriate security measures shall be agreed to protect information transfers in accordance with the sensitivity of the information and any classification that is applied by the sender.
- Each participant will use best efforts to safeguard the security of any information received under this Memorandum and respect any safeguards agreed to by the Participants. In the event of any unauthorized access or disclosure of the information, the Participants will take all reasonable steps to prevent a recurrence of the event and will promptly notify the other Participant of the occurrence.
- Where confidential material obtained from, or shared by, the originating Participant is wrongfully disclosed or used by the receiving Participant, the receiving Participant will bring this to the attention of the originating Participant without delay.
- Changes in Applicable Privacy Laws
In the event of modification to the Applicable Privacy Laws of a Participant’s country that are within the scope of this Memorandum, the Participants will use best efforts to consult promptly, and, if possible, prior to the entry into force of such enactments, to determine whether to amend this Memorandum.
- Retention of Information
Information received under this Memorandum will not be retained for longer than is required to fulfill the purpose for which it was shared or than is required by the Requesting Participant’s country’s laws.
The Participants will use best efforts to return any information that is no longer required if the Requested Participant makes a written request that such information be returned at the time it is shared. If no request for return of the information is made, the Requesting Participant will dispose of the information using methods prescribed by the Requested Participant or if no such methods have been prescribed, by other secure methods, as soon as practicable after the information is no longer required.
- Costs
Unless otherwise decided by the Participants, the Requested Participant will pay all costs of executing the Request. When the cost of providing or obtaining information under this Memorandum is substantial, the Requested Participant may ask the Requesting Participant to pay those costs as a condition of proceeding with the Request. In such an event, the Participants will consult on the issue at the request of either Participant.
- Duration of Cooperation
- This Memorandum supersedes all other Memoranda of Understanding signed between the Participants and takes effect on the date it is signed.
- Assistance in accordance with this Memorandum will be available concerning Covered Privacy Contraventions occurring before as well as after this Memorandum is signed.
- This Memorandum may be terminated on 30 days written notice by either Participant. However, prior to providing such notice, each Participant will use best efforts to consult with the other Participant.
- This Memorandum can be modified, or supplemented, as agreed by the Participants in writing.
- On termination of this Memorandum, the Participants will, in accordance with Section VI, maintain the confidentiality of any information communicated to them by the other Participant in accordance with this Memorandum, and return or destroy, in accordance with the provisions of Section IX, information obtained from the other Participant in accordance with this Memorandum.
- Legal Effect
Nothing in this Memorandum is intended to:
- create binding obligations, or affect existing obligations under international law, or create obligations under the laws of the Participants’ countries;
- prevent a Participant from seeking assistance from or providing assistance to the other Participant pursuant to other agreements, treaties, arrangements, or practices;
- affect any right of a Participant to seek information on a lawful basis from a Person located in the territory of the other Participant’s country, nor is it intended to preclude any such Person from voluntarily providing legally obtained information to a Participant; or
- create obligations or expectations of cooperation that would exceed a Participant’s jurisdiction.
- Dispute Settlement
- The Participants will settle any disputes or disagreement relating to or arising from this Memorandum amicably through consultations and negotiations in good faith without reference to any international court, tribunal or other forum.
- The primary contacts designated under Section III.A will maintain an open dialogue between each other in order to ensure that the Memorandum remains effective and fit for purpose. They will also seek to identify any difficulties in the working relationship, and proactively seek to minimise the same.
Signed in duplicate, in the English and French languages, each version being equally authentic:
(Original signed by)
Elizabeth Denham
Information Commissioner of the United Kingdom
Date: 2020-01-13
Location: Wilmslow, UK
(Original signed by)
Daniel Therrien
Privacy Commissioner of Canada
Date: 2019-12-19
Location: Gatineau, QC
- Date modified: