Appendix 3: Cross-border Data Flows and Transfers for Processing - Jurisdictional Analysis

September 28, 2020

1. Cross-border Data Flows

The questions that must be addressed with cross-border data flows are multiple. They include:

What is the nature and extent of the obligations and legal responsibility of organizations when they transfer data across borders?
In what circumstances and to what extent should the following factors impact the responsibility of Canadian organizations when data flows across borders?
- The commercial relationship with the organization in the other country
- The measures taken by the Canadian organization to protect the information in the hands of the offshore entity
- The nature of the legal regime in place in the offshore organization’s country
Where an assessment of another country’s legal system is required, who should carry this out?
What criteria should guide assessments and what standards should be applied?
What role does law enforcement/national security access to personal data in the offshore country play in assessing the legitimacy of a transfer?
What special oversight/enforcement mechanisms might be required?

This section considers how these issues are dealt with under the GDPR, the laws of Australia and New Zealand, Quebec’s Bill 64, and Convention 108+.

i. GDPR

The GDPR’s rules on cross-border data flows are found in Articles 44 to 50. In particular, Article 44 provides that personal data “which are undergoing processing or are intended for processing after transfer to a third country” can only flow across borders if conditions in the GDPR are met by both controller and processor. This also applies to any onward transfer of personal data from the country of processing. Under the GDPR, controllers are responsible for putting in place “appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”^{Footnote 1} Any relationship with a processor must be governed by contractual terms that are enforceable by the controller.^{Footnote 2} Processing is defined broadly to mean:

[…] any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.^{Footnote 3}

Cross border transfers of data for processing are permitted if the European Commission has decided that the country (or a territory or sector within that country) “ensures an adequate level of protection.”^{Footnote 4} The adequacy of the legal regime in the country of transfer is addressed in Article 45. Where adequacy is found, the transfer does not require any specific authorization.

Article 45 also sets out the factors to take into account in assessing adequacy. These are:

the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred^{Footnote 5}

Also relevant to adequacy are issues of effective supervisory, oversight, and enforcement bodies and their accessibility to data subjects, as well as their degree of co-operation with the supervisory body in the transferor’s country.^{Footnote 6} The Commission may also take into account the destination country’s international commitments “in particular in relation to the protection of personal data.”^{Footnote 7}

Once the Commission determines that a jurisdiction meets the adequacy assessment, the assessment is subject to periodic review “at least every four years.”^{Footnote 8} This review takes into account any relevant changes in the jurisdiction’s laws. Because an adequacy finding can be for a country or a particular region or sector within that country, the assessment must specify to what it relates. The Commission has an ongoing monitoring role with respect to developments in other countries.^{Footnote 9} An adequacy assessment can be revoked or amended if the Commission is of the view that the country/region/sector at issue “no longer ensures an adequate level of protection”^{Footnote 10} While the adequacy regime can greatly facilitate cross-border data flows under the GDPR, it imposes an ongoing regulatory burden.

An adequacy decision is not the only means by which data may flow from the EU to another country/region/sector. Where there is no adequacy assessment, Articles 46 to 49 of the GDPR provide for alternatives.^{Footnote 11} One of these is where the entity to which data are transferred in the destination country “has provided appropriate safeguards”.^{Footnote 12}

Article 46(2) sets out a list of appropriate safeguards. Where these safeguards are in place, then data may be transferred without having to seek authorization from a supervisory authority within the EU. The possible safeguards include binding corporate rules,^{Footnote 13} standard data protection clauses adopted by the Commission,^{Footnote 14} standard data protection clauses adopted by the national regulator and approved by the Commission,^{Footnote 15} an approved sectoral code of conduct combined with binding and enforceable commitments of the recipient to apply the appropriate safeguards,^{Footnote 16} or an approved certification mechanism combined with binding and enforceable commitments of the recipient to put in place appropriate safeguards.^{Footnote 17} All of these measures require prior Commission or supervisory authority approval. In all cases the availability of enforceable data subject rights is important. Another alternative in art. 46(3), but one which is subject to authorization from the relevant supervisory authority, is the adoption of contractual clauses between the transferor and the recipient.^{Footnote 18}

Where there is no adequacy decision and no appropriate safeguards as per article 46, there is a final set of options provided in article 49 of the GDPR for cross-border data flows. The first of these is based upon the consent of the data subject to the transfer. Where consent is relied upon, it must be explicit, informed, and specific to the particular transfer. It must address the risks associated with the transfer, including that the transfer is being made to a country that “does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.”^{Footnote 19} Other exceptions require a demonstration of the necessity of the transfer for certain objectives, or the underlying public interest.^{Footnote 20}

The Schrems II^{Footnote 21} decision sheds light on how these requirements receive practical application. In Schrems II, the European Court of Justice rejected the adequacy of the EU-US Privacy Shield as a basis for cross-border data transfers. This agreement replaced the EU-US Safe Harbour Agreement which had been invalidated by the Schrems I decision.^{Footnote 22} The EU-US Privacy Shield was a mechanism whereby companies could self-certify and publicly commit to comply with the privacy framework put in place to ensure an adequate level of protection for personal data (as defined by the GDPR). In invalidating the Privacy Shield, the Court of Justice of the European Union found that “certain programmes enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements”^{Footnote 23} equivalent to those available under EU law.

Secondly, and perhaps more importantly from a Canadian perspective, the Court made two broad findings with respect to the use of Standard Contractual Clauses (SCCs), another GDPR alternative to an adequacy assessment. The European Court of Justice found that such clauses were valid even if they do not bind the authorities of the country to which data is transferred. However, the Court ruled that transfers of data based on SCCs must be suspended or prohibited if SCCs are breached or if it is not possible to honour them. In the case of the US, the Court found that the same requirements of US national security law that doomed the EU-US Privacy Shield were also a barrier to honouring commitments under SCCs. Reliance upon SCCs might be possible, on a case-by-case basis, provided that “US law does not impinge on the adequate level of protection they guarantee.”^{Footnote 24} Some EU data protection authorities have issued preliminary opinions that the Court’s ruling means that data transfers to the US are no longer possible.^{Footnote 25} Others have indicated that transfers based on SCCs may still be possible depending upon the parties and the provisions.^{Footnote 26} Some have indicated that transfers under SCCs are at this point questionable.^{Footnote 27}

A third point is that the Court also found problematic the inability of EU residents to obtain appropriate recourse under US law where data was accessed under national security legislation.^{Footnote 28} For example, in Schrems II the Court noted that data subjects did not have “actionable rights before the courts against the US authorities.”^{Footnote 29} This meant that there was a failure to meet the requirement that where data is transferred outside the EU for processing, data subjects have “effective and enforceable rights”.^{Footnote 30} Under art. 45 of the GDPR, “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred” are an essential element of an adequacy finding.

The European Data Protection Board has indicated that although the Schrems II decision does not address other means of facilitating cross-border data transfers, measures such as binding corporate rules are likely also to be affected, “since US law will also have primacy over this tool.”^{Footnote 31} The impact on other tools remains to be assessed, although the Board indicates that the standard will be one of “essential equivalence”.^{Footnote 32}

Although Schrems II deals with a data transfer to the US, the standards it sets are applicable to data transfers to all countries outside of the EU.^{Footnote 33} The Court of Justice emphasized that in the absence of an adequacy decision, it was the responsibility of the parties to the data transfer to assess whether the guarantees set out in SCCs or binding corporate rules are capable of being complied with, whether supplementary measures are necessary, and whether, even with supplementary measures, personal information can appropriately be protected.^{Footnote 34} If it cannot, the transfer cannot take place.

The Schrems II decision makes clear the importance of an adequacy assessment when it comes to dealings with the EU. Such an assessment greatly facilitates cross-border data flows. In the absence of an adequacy assessment, there are other options available to parties. However, they may not be able to overcome the identified deficiencies in the national system of the third country. Even if they are, this may involve considerable effort and expense on the part of the contracting parties.

Using its considerable collective economic clout, the EU has designed a system which relies heavily upon restricting data flows to organizations in jurisdictions where a comparable level of data protection is not available. This comparable level of protection may be achieved by different means. The simplest for organizations is a finding of adequacy. Where there is no adequacy, other options are available, requiring different levels of effort, and considerable involvement of the Commission or national supervisory authorities. As Schrems II makes clear, however, even these measures may be derailed if national security or law enforcement powers in the destination country allow for excessive access to personal data with inadequate recourse for EU data subjects. While such a regime may offer a high level of protection for the personal data of EU residents, it relies upon a level of economic clout that Canada does not have. Further, it is a complex regime that requires substantial government and regulatory resources.

ii. Australia

One of the express goals of Australia’s Privacy Act 1988 (APA)^{Footnote 35} is to “facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.”^{Footnote 36} The APA addresses cross-border data flows in s. 16C as well as under Australian Privacy Principle (APP) 8 of its Information Privacy Principles.^{Footnote 37} Like PIPEDA, the APA is framed around the collection, use, and disclosure of personal data. Cross-border transfers are considered to be ‘disclosures’ of personal information.

‘Disclose’ is not a defined term in the APA. However, it has been interpreted by the Office of the Australian Information Commissioner (OAIC) to include any act that makes personal information “accessible to others outside the entity and releases the subsequent handling of the information from its effective control.”^{Footnote 38} The OAIC focuses on the act of disclosure and not the state of mind of the party disclosing. This means that even accidental or unauthorized releases are disclosures.^{Footnote 39} The OAIC provides examples of disclosures of personal information to overseas recipients. These include where the recipient:

shares the personal information with an overseas recipient
reveals the personal information at an international conference or meeting overseas
sends a hard copy document or email containing an individual’s personal information to an overseas client
publishes the personal information on the internet, whether intentionally or not, and it is accessible to an overseas recipient.^{Footnote 40}

The OAIC specifies that a disclosure does not take place “until the personal information reaches the overseas recipient.”^{Footnote 41} In other words, the routing of personal information through offshore servers is a use, not a disclosure.^{Footnote 42} Further, OAIC guidance provides that offshore cloud storage of personal information is not a disclosure as long as there are binding contracts that limit the cloud services provider and any subcontractors to handling the personal information only for storage purposes, and the Australian entity retains “effective control” over how the information is handled. Such effective control includes “the right or power to access, change or retrieve the personal information”, and to control who can access it and for what purposes.^{Footnote 43}

APP 6 applies to uses and disclosures of personal information. Since a cross border transfer is treated as a disclosure, such transfers must also be compliant with APP 6. In particular, Clause 6.1 provides that “If an APP entity holds personal information about an individual that was collected for a particular purpose [… ], the entity must not use or disclose the information for another purpose.” Thus, a transfer for processing must be for a purpose for which the information was originally collected, unless one of the statutory exceptions to this rule applies.^{Footnote 44}

According to clause 8.1, an “overseas recipient” has to be outside Australia or an external Territory. It explicitly excludes the entity that is disclosing the personal data. This means that transfers from an Australian entity to one of its offices overseas are not subject to the rules for cross border data transfers.^{Footnote 45} On the other hand, a transfer from an Australian entity to a “related body corporate” will be treated as a transfer to an overseas recipient.^{Footnote 46}

Clause 8.1 of APP 8 provides that in order for a data transfer to take place, an Australian transferor must “take such steps as are reasonable in the circumstances” to ensure that the overseas recipient does not act in a way that leads to a breach. The ‘reasonable steps’ required by Clause 8.1 typically involve enforceable contractual arrangements.^{Footnote 47} The OAIC does not provide Standard Contractual Clauses for inclusion in any transfer agreement. However, it provides guidance in the form of a list of considerations for contractual arrangements.^{Footnote 48} In addition, the OAIC has published a list of factors that it will take into account in assessing whether reasonable steps have been taken in any compliance monitoring process such as an audit.^{Footnote 49} These factors include the sensitivity of the personal information, the risk of harm to individuals, and technical safeguards put in place by the overseas recipient.^{Footnote 50} While an entity can take into account the burden, time and cost of providing adequate protection, the OAIC cautions that “an entity is not excused from ensuring that an overseas recipient does not breach the APPs by reason only that it would be inconvenient, time-consuming or impose some cost to do so.”^{Footnote 51}

Clause 8.2 provides that clause 8.1 does not apply to cross-border data transfers where the Australian entity “reasonably believes” that certain circumstances exist.^{Footnote 52} The first of these circumstances is where the recipient is subject to a law or “binding scheme” in their own country that offers at least a “substantially similar” protection to what is available under the APPs and there are mechanisms that data subjects can access to enforce the law or binding scheme. Having a “reasonable belief” is interpreted by the OAIC to mean having “a reasonable basis for its belief, and not merely a genuine or subjective belief.”^{Footnote 53} It indicates that an Australian entity bears the burden of justifying its reasonable belief and suggests that independent legal advice might be one way to do so.^{Footnote 54}

Clause 8.2(a) has three essential components. First, the overseas recipient must be subject to a law or binding scheme. While the law will in most cases be a data protection law, it is also possible that another type of law might impose information handling requirements that offer substantially similar protection.^{Footnote 55} The “binding scheme” could be “an industry scheme or privacy code that is enforceable once entered into.”^{Footnote 56} or it could be a set of Binding Corporate Rules (BCRs).^{Footnote 57} On this point, the OAIC refers to BCR put in place under the EU’s GDPR. If, for example, an Australian entity was part of a group subject to BCR established under the GDPR it could transfer data to other entities in other countries that were subject to the same BCR. In this way, Australian companies can piggy-back on a scheme implemented under the GDPR and subject to the GDPR’s explicit requirements and regulatory oversight.

The second component of clause 8.2(a) is that the law or scheme to which the recipient is bound must be “substantially similar” to Australia’s APPs. According to the OAIC,

A substantially similar law or binding scheme would provide a comparable, or a higher level of privacy protection to that provided by the APPs. Each provision of the law or scheme is not required to correspond directly to an equivalent APP. Rather, the overall effect of the law or scheme is of central importance.^{Footnote 58}

In its Guidance, the OAIC provides examples of relevant factors in assessing substantial similarity. These include the definition of personal information, notification requirements, data quality and security standards, rights of access and correction, and the general way in which collection, use and disclosure of personal information are governed.^{Footnote 59}

The third component of clause 8.2(a) is the requirement that there be mechanisms in place for the individual data subject to enforce privacy provisions. While this could be a complaints process to a regulator, it can also be “an accredited dispute resolution scheme, an independent tribunal or a court with judicial functions and powers.”^{Footnote 60} A combination of mechanisms can also be acceptable.

Alternatively, subclause 8.2(b) allows for transfers to proceed without need to comply with clause 8.1 where data subjects have provided express consent, following clear notification, to the data transfer taking place without the protection afforded by Principle 8.1. OAIC guidance requires a very clear notice and consent in these circumstances. When it comes to explaining the potential consequences of the transfer taking place without the protection of the APPs, the OAIC requires the individual to be notified that if they consent and the overseas recipient mishandles the information, the Australian entity will not be accountable and the individual will have no recourse under the APA.^{Footnote 61} If the overseas entity is not subject to any privacy obligations or if redress overseas is not available for the individual, they should also be informed. Further, individuals should be notified if “the overseas recipient is subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority.”^{Footnote 62}

Subclause 8.2(c) allows for a cross-border data transfer without consent where it is required or authorized under Australian law, where certain statutory exceptions for disclosure apply,^{Footnote 63} or where the transfer is required or authorized under an international information sharing agreement.^{Footnote 64}

Section 16C of the APA establishes the responsibility of Australian entities that disclose personal information to overseas recipients. It provides that an Australian entity is considered to have breached the APPs where an overseas recipient “does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles [… ] if those Australian Privacy Principles so applied to that act or practice”.^{Footnote 65} Accountability follows the structure of APP 8.1 and 8.2. Clause 8.1 essentially requires the Australian entity to take reasonable steps, usually in the form of contractual arrangements to ensure that an overseas entity handles the personal data appropriately. An Australian entity that relies upon 8.1 is held accountable for any breaches of the APP by the offshore entity – whether deliberate or inadvertent.^{Footnote 66}

The situation is otherwise if the data transfer has taken place under clause 8.2. The Australian entity is not held liable if they transferred data offshore in the ‘reasonable belief’ that the offshore entity is subject to a law or binding scheme that offers at least substantially similar protection to that available under the APPs. Compliance with 8.2 requires that there be mechanisms in place that allow data subjects to enforce their rights. The Australian entity will also not be held liable if data subjects have provided express consent to a transfer of data without the usual protections. Thus, under the Australian scheme, ‘adequacy’ or its equivalents allow the Australian entity to shift the burden of accountability to the offshore entity.

Australian law deals with law enforcement or national security access by foreign state actors outside of Australia differently than the GDPR. Essentially, subsection 6A(4) of the APA provides that an act in respect of personal information does not breach the APPs if it is done outside of Australia and is “required by an applicable law of a foreign country.” This means that the Australian entity is not accountable if such access takes place. The OAIC, in its Guidance, uses the specific example of the USA PATRIOT ACT.^{Footnote 67} Further, there is no legislated requirement to notify individuals of the potential for such disclosures, although OAIC guidance suggests that an entity “could consider” providing notification of the risks that such information sharing may be required under foreign law.

The Australian regime is not explicitly organized around whether a particular cross-border data flow is a ‘use’ or a ‘disclosure’; the term ‘disclosure’ is used for all cross-border transfers. Instead, the regime is structured around accountability. Where data is to be disclosed across borders, accountability lies with either the Australian entity that transfers the data or the offshore company, depending on which clause (8.1 or 8.2) applies. Where enforceable contractual arrangements alone are relied upon to protect the personal data, the Australian entity remains accountable for any breach. Where there is a ‘reasonable belief’ that a substantially similar level of protection is available for the personal data, or where the entity has obtained a very clear and precise consent to a transfer without the usual safeguards, the responsibility for any breach will lie with the offshore organization. In practical terms, this would map onto a Canadian-style use/disclosure dichotomy, since ‘uses’ fall within the agency-type arrangement usually dealt with by contracts; whereas a disclosure, which involves a loss of control over the data by the domestic entity because the recipient plans to use the data for their own purposes, will require something different. In this case, that something different must be assurances that the recipient organization is bound by substantially similar data protection obligations that can be enforced by Australian data subjects.

Table I below summarizes how the Australian regime assigns accountability.

Table I: Accountability for Cross-Border Data Flows in Australia

Text version of Table I

Table I: Accountability for Cross-Border Data Flows in Australia

“Disclosure” of personal data outside the country (broadly defined to capture most outsourcing and cross-border data flows (excluding cloud storage in specific circumstances)
- Take “such steps as are reasonable” to ensure the overseas entity does not do anything that would breach APP principles (typically, enforceable contractual arrangements)
  - Australian entity remains accountable for any breach of APPs by overseas entity
- Where Australian entity “reasonably believes” that the overseas entity is subject to a law or "binding scheme" providing a "substantially similar" level of protection as the APPs
  
  Where the Australia entity has obtained express consent to send data overseas without usual protections
  - If Australian entity has met its burden of establishing a reasonable belief, accountability shifts to the overseas entity
- National security access by foreign state actors outside of Australia
  - No accountability. No legislated requirement to provide notice to individuals of the potential for such disclosures

iii. New Zealand

On June 30, 2020, a bill to amend New Zealand’s Privacy Act,^{Footnote 68} received royal assent, with amendments to take effect on December 1, 2020. Among the changes to the Act are new provisions that will strengthen protection for cross-border data flows. These are described in a Cabinet document as part of a suite of changes “to reflect the needs of the digital age.”^{Footnote 69} The same report notes that “[p]ublic confidence in cross-border information flows is essential for New Zealand’s effective participation in global markets.”^{Footnote 70}

Prior to the amendments, the legislation contained provisions that governed data that was received in New Zealand from overseas, and that was further transferred abroad. These remain substantially the same in the amended version of the legislation.^{Footnote 71} Under these provisions, the Commissioner can prohibit the further transfer of overseas personal information outside New Zealand where he or she is satisfied on reasonable grounds that the information will not receive protection comparable to that provided under New Zealand’s Privacy Act in the destination state, and where the transfer “would be likely to lead to a contravention of the basic principles for data protection set out in the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data.^{Footnote 72} In addition to the criteria for prohibiting a transfer set out in section 114B(1),^{Footnote 73} section 114B(2)^{Footnote 74} directs the Commissioner to take into account other considerations, including whether the transfer might affect any individual, the “desirability of facilitating the free flow of information between New Zealand and other states,” and any international guidelines relating to the free flow of data. These provisions do not apply where the data transfers are required or authorized by law or required by an international convention to which New Zealand is a signatory. The Commissioner is empowered to hold an inquiry into whether a transfer of data should be allowed. A transfer prohibition notice issued by the Commissioner must set out certain details, prescribed in s. 114D,^{Footnote 75} which include the personal information included in the prohibition, and whether the prohibition is absolute or subject to being lifted if specified steps are taken by the transferor. Any such order is subject to an appeal. Section 114E^{Footnote 76} allows the Commissioner to vary or cancel a transfer prohibition order should the circumstances warrant it. The law provides for fines against any company that fails to comply with a transfer prohibition notice, although the fine remains capped at a modest $10,000.

Like PIPEDA and the APA, the New Zealand Privacy Act^{Footnote 77} (NZPA) is organized around the actions of collection, use and disclosure of personal information. However, s. 11 of the NZPA identifies special circumstances where data is transferred from one organization to another without constituting a “disclosure”.^{Footnote 78} Specifically, if the recipient holds data as an agent for the transferor (e.g. for safe custody or processing) then the data is considered to be held by the transferor and not the recipient.^{Footnote 79} In such circumstances, neither the flow of data from transferor to recipient, or back again, is considered a use or a disclosure.^{Footnote 80} The New Zealand Privacy Commissioner has described this provision as applying, for example, in the case of a provider of cloud storage services,^{Footnote 81} or in cases where data is outsourced for processing.^{Footnote 82} However, if the recipient uses or discloses the personal information for their own purposes, then the data is considered to have been disclosed by the New Zealand entity. As a Cabinet paper explains, “Once disclosed overseas, the information falls outside the Act’s jurisdiction.”^{Footnote 83} As a result, a new privacy principle has been introduced which places the onus on the New Zealand organization to ensure that the data will receive an acceptable level of protection in the country of transfer. According to the Cabinet document, “The new privacy principle will give agencies considerable flexibility around what steps they take to ensure the acceptability of privacy standards in relevant foreign countries.”^{Footnote 84}

The reformed New Zealand Privacy Act contains a new Information Privacy Principle (IPP) 12, titled “Disclosure of personal information outside New Zealand” that specifically addresses cross-border data flows.^{Footnote 85} As noted above, IPP 12 will apply to disclosures of data outside the country. It will not apply where data is outsourced for processing or storage, as long as the recipient is not also using the data for their own purposes. IPP 12 is linked to IPP 11, “Limits on disclosure of personal information.” IPP 11 sets the basic requirements for the disclosure of information, and these must also be complied with for cross-border disclosures. For example, a disclosure must still be consistent with the purposes for which the information was collected and the data subject must have consented to the disclosure. However, IPP 12 permits reliance upon IPP 11 alone for disclosures to a “foreign person or entity” only if certain conditions are met. The first condition is where the data subject has expressly consented to a disclosure in circumstances where the recipient “may not be required to protect the information in a way that, overall, provides comparable safeguards to this Act”. A second possibility is where the recipient, although a foreign company, is carrying on business in New Zealand and the transferor has reasonable grounds to believe that the recipient is subject to the NZ Privacy Act.

In all other cases, Clause 12(1)(c) of IPP 12 permits an overseas disclosure of data where the transferor “believes on reasonable grounds” that the recipient is “subject to privacy laws that, overall, provide comparable safeguards to those in this Act.”^{Footnote 86} As is the case in Australia, this provision puts the onus on the transferor to assure themselves of the adequacy of another country’s laws. It is not clear what amount of due diligence is required by “reasonable grounds”, nor is it clear how “comparable safeguards” should be assessed. It is anticipated that the Commissioner will provide guidance on these issues.^{Footnote 87}

IPP 12 will also permit disclosures where the NZ organization has “reasonable grounds” to believe that the recipient is participating in a “prescribed binding scheme”. A prescribed binding scheme is one that is specified by regulations.^{Footnote 88} The regulations will enable the responsible Minister to recommend to the Governor-General that a binding scheme be prescribed, but he or she may only do so where satisfied “that the binding schemes require a foreign person or entity to protect personal information in a way that, overall, provides comparable safeguards” to those in the Act.^{Footnote 89} The new provisions also allow for the possibility of a made-in-New Zealand adequacy assessment. Clause 12(1)(e) of IPP 12 provides that the transfer may take place if the transferor believes on ‘reasonable grounds’ that the recipient “is subject to privacy laws of a prescribed country.”^{Footnote 90} A prescribed country is one specified in regulations made under section 214 of the 2020 Act. This provision requires the Minister to consult with the Commissioner in developing regulations for prescribing countries. A country may be prescribed only if the Minister is satisfied that it has “privacy laws that, overall, provide comparable safeguards to those in this Act.^{Footnote 91} The prescribing of a country may also be limited to a particular type of foreign person or entity to which information may be disclosed, or to the type of information that may be disclosed to a person or entity within that country.^{Footnote 92}

Alternatively, the parties can enter into an agreement, so long as the transferor believes on “reasonable grounds” that the agreement provides “comparable safeguards” to those in the Act.^{Footnote 93} The New Zealand Privacy Commissioner is planning to publish model contractual clauses that can be used with cross border data transfers.^{Footnote 94} These clauses will not be mandatory. Instead, the goal is to “create a benchmark for the relevant matters that should be addressed when making sure there are reasonable privacy safeguards when personal information is disclosed overseas.”^{Footnote 95}

Exceptionally, under s. 30 of the NZPA 2020, the Commissioner can authorize a cross-border flow of data that would otherwise contravene IPP 12 in very specific circumstances set out in the legislation. Authorization depends on the Commissioner finding a clear public interest in the disclosure or something that would be of clear benefit to the individual, outweighing any possible harm or detriment.

IPP 12(2) contains an overall exception for cross-border disclosure of personal information for purposes of law enforcement, legal proceedings, or public health or safety in circumstances where it is not practicable for the transferor to comply with the requirements set out in IPP 12(1).

These provisions have yet to take effect, and there is currently no application or interpretation of this new scheme. In its report on the bill, the Cabinet Social Policy Committee noted that the provisions were drafted so as to “give agencies considerable flexibility around what steps they take to ensure the acceptability of privacy standards in relevant foreign countries.”^{Footnote 96}

Under this scheme, New Zealand organizations that outsource data across borders for processing remain accountable for what happens to that data (See Table II below). The data will typically be protected by the terms of the outsourcing agreement and the New Zealand organization can be held to account under the NZPA. By contrast, where information is disclosed outside the country, the organization to which data is disclosed is considered outside the reach of the NZPA. As a result, the New Zealand organization bears the burden of ensuring that ‘comparable safeguards’ are in place. This can include determining that the organization to which data is disclosed is subject to a legal regime that provides comparable safeguards. They can also take the form of a prescribed binding scheme, or an agreement between the parties. Where the New Zealand organization does not take reasonable steps to protect the information as required by the NZPA, it will be liable for any breach committed by the overseas agency. However, if reasonable steps have been taken, it will be exempt from liability.^{Footnote 97}

Although the new scheme is anticipated to increase compliance costs for New Zealand organizations, the Cabinet Social Policy Committee noted that these costs “are mitigated by the exceptions to the principle and the ability of the Commissioner to publish a list of acceptable overseas frameworks.”^{Footnote 98} The additional costs are also “justified in order to introduce greater protections for individuals.”^{Footnote 99}

Table II: Allocation of Accountability – New Zealand

Text version of Table II

Table II: Allocation of Accountability – New Zealand

Outsourcing arrangements, including cloud storage
- Agency relationship
- Protections put in place using contractual arrangements
- New Zealand entity is accountable
Disclosures (where data is used for the recipient’s purposes)
- New Zealand organization must believe on ‘reasonable grounds’ that the recipient is subject to privacy laws providing ‘comparable safeguards’, or prescribed binding scheme, or is subject to privacy laws of a ‘prescribed country’
- Or, contractual provisions that the NZ entity believes on ‘reasonable grounds’ will provide ‘comparable safeguards’
- The country of transfer is on a ‘prescribed’ list of countries considered to provide ‘comparable safeguards’
- NZ entity is accountable for putting in place appropriate safeguards; once these are in place, accountability shifts to oversees entity
Data received from another country that a NZ entity wants to further transfer abroad
- Commissioner can prohibit further transfer if satisfied on reasonable grounds that the information will not receive protection comparable to that provided under NZ’s Privacy Act in the destination state

iv. Quebec

Quebec’s Bill 64^{Footnote 100} contains provisions that would specifically amend its private sector data protection law^{Footnote 101} as regards cross border data flows. In the case of Bill 64, the borders in question are those of the province of Quebec. This means that data flows from Quebec to other provinces in Canada – as well as outside the country – will be captured by the new provisions.

If Bill 64 is enacted, a new s. 17^{Footnote 102} would apply where a Quebec entity ‘communicates’ information outside provincial boundaries. While the focus on this new provision appears to be on ‘communications’ (disclosures) of data, s. 17 also provides that it will also apply where a Quebec entity “entrusts a person or body outside Quebec with the task of collecting, using, communicating or keeping such information on its behalf.” The scope of this provision is potentially quite broad. Unlike New Zealand, where the cross-border provisions apply only outside of agency relationships, s. 17 seems to specifically include agency relationships where the recipient of the data is outside of Quebec.^{Footnote 103} In addition, not only would it seem to include offshore cloud storage of data, it might capture other uses of digital services. For example, if a police service in Quebec contracts with a US-based provider for facial recognition services that rely upon the provider’s US-based database of images, are they entrusting this company to collect, use and communicate information on its behalf? If so, the organization could not use this service unless there is an agreement in place that meets the requirements of s. 17.

According to Bill 64, the legitimacy of a proposed cross-border flow will depend on a number of factors which include: an assessment of the degree of sensitivity of the personal information, the purposes for which it will be used, the protection measures that will apply to it, and the legal framework in place in the jurisdiction to which the transfer will take place.^{Footnote 104} The collection, use or communication can only take place if an assessment of these factors establishes that the personal information “would receive protection equivalent to that afforded under this Act.”^{Footnote 105} There must also be a written agreement that governs the activities in relation to data; that refers to the assessment made; and that, where appropriate, contains “terms agreed on to mitigate the risks identified in the assessment.”^{Footnote 106} Nothing in the bill suggests that these assessments must be approved by the Commission d’accès à l’information or some other body before data can flow across borders, nor is there a requirement for assessments to be filed with the Commission.

Under the proposed s. 17(4), an organization must assess “the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Quebec.” This is a challenging task for an organization, which presumably might have to seek legal opinions on foreign law. A proposed s. 17.1 foresees the potential for the involvement of the Quebec government in carrying out assessments of the adequacy of foreign regimes. It provides that the Minister shall publish in the Official Gazette “a list of States whose legal framework governing personal information is equivalent to the personal information protection principles applicable in Quebec.”^{Footnote 107}

The proposed system in Bill 64 (see Table III below) seems premised on a finding of equivalency that is made either by the government, or that is based on assessments carried out by those seeking to transfer data across borders. Unlike New Zealand, no distinction is made between processing activities where there is an agency relationship and activities that amount to disclosures. Unlike the schemes in the EU, Australia or New Zealand, there are no other alternatives provided (such as SCCs, BCR, or contracts) that could be leveraged to provide an equivalent level of protection even if it is absent at the state level. However, s. 17 seems to provide some wiggle room in that written agreements may contain “terms agreed on to mitigate the risks identified in the assessment.”

Table III – Overview of Quebec Framework

Text version of Table III

Table III – Overview of Quebec Framework

Any ‘communication’ of personal information outside of Quebec

and

Any time an entity entrusts a person or body outside Quebec with the task of collecting, using, communicating or keeping such information on its behalf
- Entity must undertake an assessment of:
  - sensitivity of PI
  - purposes of use
  - legal framework in jurisdiction to which transfer will take place
  No transfer is possible unless information “would receive protection equivalent to that afforded under this Act”
  
  Entity must enter into a written agreement governing the transfer and that where necessary contains terms that will mitigate risks identified in the assessment
  - Unclear where accountability lies
- Quebec Government can assess adequacy of foreign regimes and publish a list of States whose legal privacy frameworks are equivalent to protection available in Quebec

v. Convention 108+

The Convention for the Protection of Individuals with Regard to the Processing of Personal Data^{Footnote 108} (Convention 108) is a Council of Europe Treaty that was opened for signature in 1981 and that was the first legally binding international data protection instrument. It addresses data protection in both public and private sector contexts. It entered into force in 1985 with five ratifications. It has since been signed and ratified by a total of forty-seven European countries and has been ratified by an additional eight countries outside of Europe.^{Footnote 109} Canada has observer status with the Council of Europe in relation to this treaty.^{Footnote 110} Convention 108+ has been described as “the only legally binding multilateral instrument on the protection of privacy and personal data open to any country in the world.”^{Footnote 111}

In 2018, Convention 108 was amended to create the Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data^{Footnote 112} (Convention 108+). To date, this revision has been signed and ratified by seven European nations, and signed by a further thirty-five, including three non-European countries. Convention 108+ is particularly notable in that it upgrades the rules relating to cross-border data transfers.^{Footnote 113} According to Graham Greenleaf, the rules in Convention 108 were unlikely to meet the threshold for GDPR adequacy, but Convention 108+ upgrades the data protection norms to be more in line with the GDPR.^{Footnote 114} Greenleaf notes that Recital 105 of the GDPR indicates that accession to Convention 108 is a factor to take into account in an adequacy assessment,^{Footnote 115} although it is not determinative. The upgraded requirements of Convention 108+ increase the likelihood that accession to this convention could go a long way to satisfying a GDPR adequacy assessment. In his view, “Accessions to 108+ coupled with proper enforcement, should ensure that most of the GDPR requirements are met.”^{Footnote 116}

Meeting GDPR adequacy requirements is a key element in ensuring the free flow of data across borders between Canada and EU countries since this is the easiest and most straightforward option to facilitate cross-border data flows. As a general principle, article 14 of Convention 108+ provides that data can flow freely between two countries that are party to Convention 108+ unless “there is a real and serious risk that the transfer to another Party, or from that other Party to a non-Party, would lead to circumventing the provisions of the Convention.”^{Footnote 117} Transfers may also be permitted if “bound by harmonized rules of protection shared by states belonging to a regional international organization.”^{Footnote 118} This would, of course, include those states bound by the GDPR. For countries outside the EU, a GDPR adequacy assessment is still of value even with accession to Convention 108+, since Convention 108+ does not guarantee adequacy under the GDPR, and Convention 108+ contains exceptions to the principle of free flow of data among parties where a “serious risk” is identified.^{Footnote 119} However, as Greenleaf suggests, an adequacy assessment would be considerably facilitated by being party to Convention 108+. To the extent that other countries accede to Convention 108+, this framework provides for adequacy to be presumed with respect to other states party to the treaty.

Where the recipient of data is not subject to the jurisdiction of a state party to Convention 108+, then art. 14(2) provides that the transfer can only take place if “an appropriate level of protection based on the provisions of this Convention” is secured. This can be done by an assessment of the adequacy of the laws of the state where the recipient is located;^{Footnote 120} by ad hoc contractual arrangements or by approved “standardized safeguards provided by legally-binding and enforceable instruments” (SCCs);^{Footnote 121} or by consent by a data subject to the transfer with explicit notice of the risks and the lack of appropriate safeguards.^{Footnote 122} According to the Council of Europe, transfers of data must be assessed based on

Various elements of the transfer should be examined such as: the type of data; the purposes and duration of processing for which the data are transferred; the respect of the rule of law by the country of final destination; the general and sectoral legal rules applicable in the State or organisation in question; and the professional and security rules which apply there.^{Footnote 123}

Transfers may also take place without appropriate safeguards if the “specific interests of the data subject require it in the particular case”, or if there are important prevailing interests such as the public interest and the transfer “constitutes a necessary and proportionate measure in a democratic society”.^{Footnote 124}

Convention 108+ also specifies that the competent supervisory authority must be “provided with all relevant information concerning the transfers of data” that take place under contractual arrangements, whether these are under ad hoc or approved standardized safeguards.^{Footnote 125} In addition, the supervisory authority should be “entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests.”^{Footnote 126} Further, the supervisory authority should be able to prohibit or suspend transfers or place conditions on them in order to “protect the rights and fundamental freedoms of data subjects.”^{Footnote 127} These oversight powers are important, particularly if amendments to PIPEDA are made with a view to becoming a party to Convention 108+ in the future.

Convention 108+ offers an intriguing option for developing an international consensus around data protection norms with some teeth (as opposed to more general guidance such as the OECD or the APEC principles). In Canada, Colin Bennett has suggested that Convention 108+ may provide a partial solution to the challenges faced by Canada when it comes to cross-border data transfers since it has the potential to support a finding of adequacy with countries bound by the GDPR as well as with other signatories.^{Footnote 128} Greenleaf is also an advocate of accession to Convention 108+ as a means of building a global consensus around data protection. He describes it as providing the “only realistic long-term prospects of a global data privacy agreement.”^{Footnote 129}

However, while accession to Convention 108+ might have some longer-term advantages for Canada, it is not a short-term solution. PIPEDA and the Privacy Act^{Footnote 130} would require amendment for both adequacy under the GDPR and for accession to Convention 108+. Provincial buy-in would also be required, since amendments to provincial data protection laws would most likely also be needed. A considerable amount of federal/provincial co-operation and co-ordination might be required, although this may ultimately not be so different from what will be necessary to meet an GDPR adequacy assessment. With that in mind, preparation for a GDPR adequacy assessment could be aligned with putting in place the measures necessary to accede to Convention 108+. Being a state party to this convention would make it easier to create a list of countries to which Canadian companies can disclose data.

Footnotes

Footnote 1

(EU) 2016/679 [GDPR], art. 24.

Return to footnote 1

Footnote 2

supra note 1, art. 28.

Return to footnote 2

Footnote 3

supra note 1, art. 4(2).

Return to footnote 3

Footnote 4

supra note 1, art. 45(1).

Return to footnote 4

Footnote 5

Ibid., art. 45(2)(a). Emphasis added.

Return to footnote 5

Footnote 6

Ibid., art. 45(2)(b).

Return to footnote 6

Footnote 7

Ibid., art. 45(2)(c). See, e.g., the discussion of Convention 108+ in Part 5(v) above.

Return to footnote 7

Footnote 8

Ibid., art. 45(3).

Return to footnote 8

Footnote 9

Ibid., art. 45(4).

Return to footnote 9

Footnote 10

Ibid., art. 45(5).

Return to footnote 10

Footnote 11

Ibid., art. 45(7).

Return to footnote 11

Footnote 12

However, safeguards alone are not enough. The GDPR, ibid., art. 46(1) imposes the requirement that “enforceable data subject rights and effective legal remedies for data subjects are available.”

Return to footnote 12

Footnote 13

Ibid., art. 46(2)(b). These must be in accordance with Article 47.

Return to footnote 13

Footnote 14

Ibid., art. 46(2)(c). The approval procedure is set out in art. 93(2).

Return to footnote 14

Footnote 15

Ibid., art. 46(2)(d). The approval procedure is set out in art. 93(2).

Return to footnote 15

Footnote 16

Ibid., art. 46(2)(e). Sectoral codes of conduct are provided for in art. 40.

Return to footnote 16

Footnote 17

Ibid., art. 46(2)(f). Certification is provided for in art. 42.

Return to footnote 17

Footnote 18

Ibid., art. 46(3).

Return to footnote 18

Footnote 19

European Data Protection Board, Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd. And Maximillian Schrems. 23 July 2020, at 4 [ EDPB].

Return to footnote 19

Footnote 20

supra note 1, art. 49. Reliance on ‘public interest’ is not to be routine. EDPB, ibid., at 4.

Return to footnote 20

Footnote 21

Data Protection Commissioner v. Facebook Ireland Ltd., Maximillian Schrems (Case C-311/18), [Schrems II].

Return to footnote 21

Footnote 22

Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) [Schrems I].

Return to footnote 22

Footnote 23

EDPB, supra note 19, at 2.

Return to footnote 23

Footnote 24

Ibid.

Return to footnote 24

Footnote 25

E.g.: Germany, press release 17 July 2020 (Berlin), Press Release 16 July 2020 (Hamburg), Press Release 16 July 2020 (Thuringia); Press Release 20 July 2020 (available in Dutch only).

Return to footnote 25

Footnote 26

Germany, Rhineland-Palatinate, 16 July 2020; France 17 July 2020; Denmark, 20 July 2020;

Return to footnote 26

Footnote 27

Ireland, 16 July 2020.

Return to footnote 27

Footnote 28

Schrems II, supra note 21, at paras 168ff.

Return to footnote 28

Footnote 29

Schrems II, ibid., at para 181.

Return to footnote 29

Footnote 30

Ibid.

Return to footnote 30

Footnote 31

supra note 19 at 3.

Return to footnote 31

Footnote 32

Ibid.

Return to footnote 32

Footnote 33

Ibid. at 4.

Return to footnote 33

Footnote 34

EDPB, ibid., at 4-5. See also, Schrems II, supra note 21, at para 141.

Return to footnote 34

Footnote 35

Privacy Act 1988, No. 119, 1988.

Return to footnote 35

Footnote 36

Ibid., s. 2A(f).

Return to footnote 36

Footnote 37

Australia’s Information Privacy Principles are found in the Privacy Act 1988, ibid., Schedule 1.

Return to footnote 37

Footnote 38

Office of the Australian Information Commissioner, APP Guidelines, Chapter 8: Australian Privacy Principle 8 – Cross border disclosure of personal information. Version 1.2, July 2019, at 4.

Return to footnote 38

Footnote 39

Ibid., This does not include unauthorized access such as, for example, hacking into a system by someone in another country.

Return to footnote 39

Footnote 40

Ibid.

Return to footnote 40

Footnote 41

Ibid., at 5.

Return to footnote 41

Footnote 42

Ibid.

Return to footnote 42

Footnote 43

Ibid., at 6.

Return to footnote 43

Footnote 44

Privacy Act 1988, supra note 35, Schedule 1, APP 6.

Return to footnote 44

Footnote 45

OAIC APP Guidelines, supra note 38, at 3-4.

Return to footnote 45

Footnote 46

Ibid., at 4.

Return to footnote 46

Footnote 47

Ibid., at 6.

Return to footnote 47

Footnote 48

Ibid., at 6-7.

Return to footnote 48

Footnote 49

Ibid., at 7.

Return to footnote 49

Footnote 50

Ibid.

Return to footnote 50

Footnote 51

Ibid., at 7.

Return to footnote 51

Footnote 52

Privacy Act 1988, supra note 35, APP 8, subclause 8.2(a).

Return to footnote 52

Footnote 53

OAIC APP Guidelines, supra note 38, at 8.

Return to footnote 53

Footnote 54

Ibid.

Return to footnote 54

Footnote 55

The OAIC gives the example of a taxation law that imposes stringent information handling practices (ibid., at 8).

Return to footnote 55

Footnote 56

Ibid., at 8.

Return to footnote 56

Footnote 57

Ibid., at 8.

Return to footnote 57

Footnote 58

Ibid., at 8.

Return to footnote 58

Footnote 59

Ibid., at 9.

Return to footnote 59

Footnote 60

Ibid., at 9.

Return to footnote 60

Footnote 61

Ibid., at 10.

Return to footnote 61

Footnote 62

Ibid., at 10.

Return to footnote 62

Footnote 63

Privacy Act 1988, supra note 35, APP 8, subclause 8.2(d). These include exceptions relating to where there is a serious threat to life, health or safety, where action is taken with respect to suspected unlawful activity, and so on.

Return to footnote 63

Footnote 64

Privacy Act 1988, supra note 35, APP 8, subclause 8.2(e) provides a further exception for public sector entities in relation to law enforcement activities.

Return to footnote 64

Footnote 65

Privacy Act 1988, supra note 35, s. 16C(1)(d).

Return to footnote 65

Footnote 66

OAIC APP Guidelines, supra note 38, at 15. This is the case even if they have taken reasonable steps as required under clause 8.1. They will also be responsible if the party to whom they provided the data subcontracts it out and the subcontractor breaches the APPs.

Return to footnote 66

Footnote 67

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub L 107-56 (USA PATRIOT ACT). Referenced in OAIC APP Guidelines, supra note 38 at 16.

Return to footnote 67

Footnote 68

Privacy Act 2020, No. 31 (New Zealand).

Return to footnote 68

Footnote 69

Cabinet Social Policy Committee, REFORMING THE PRIVACY ACT 1993, at 2. [Cabinet Social Policy Committee].

Return to footnote 69

Footnote 70

Ibid., at 11.

Return to footnote 70

Footnote 71

The New Zealand Privacy Act 1993, No. 28, remains in force until the Privacy Act 2020 takes effect in December 2020. The provisions in question are found in s. 114B ff of the 1993 statute, where they were added by a 2010 amendment. They are found in s. 193 ff of the 2020 Act. These provisions were added to address the concerns of New Zealand’s trading parties, most notably, of course, the EU. See: Privacy Commissioner (NZ), Fact Sheet on Part 11A of the Privacy Act 1993: Transfer of Personal Information Outside New Zealand, September 2010.

Return to footnote 71

Footnote 72

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 2013.

Return to footnote 72

Footnote 73

This provision will be renumbered 193(1) once the Privacy Act 2020, supra note 68, takes effect.

Return to footnote 73

Footnote 74

This provision will be renumbered 193(2) once the Privacy Act 2020, ibid., takes effect.

Return to footnote 74

Footnote 75

This provision will be renumbered 195(2) once the Privacy Act 2020, ibid., takes effect

Return to footnote 75

Footnote 76

This provision will be renumbered 196 once the Privacy Act 2020, ibid., takes effect

Return to footnote 76

Footnote 77

This organization is present in both the earlier version and the Privacy Act 2020.

Return to footnote 77

Footnote 78

Privacy Act 2020, supra note 68.

Return to footnote 78

Footnote 79

Privacy Act 2020, supra note 68, s. 11(2)

Return to footnote 79

Footnote 80

Privacy Act 2020, supra note 68, s. 11 (5).

Return to footnote 80

Footnote 81

New Zealand Privacy Commissioner Blog, “Privacy 2.0: Cross-border disclosures – introducing new privacy principle 12”, 2 March 2020.

Return to footnote 81

Footnote 82

Cabinet Social Policy Committee, supra note 69 at 10.

Return to footnote 82

Footnote 83

Ibid.

Return to footnote 83

Footnote 84

Ibid.

Return to footnote 84

Footnote 85

This is the new IPP 12. The IPPs in New Zealand’s legislation are similar to the privacy principles set out in Schedule I of PIPEDA, although they are directly incorporated into s. 19 of the Privacy Act 2020, supra note 68.

Return to footnote 85

Footnote 86

Privacy Act 2020, supra note 68, IPP 12(1)(c).

Return to footnote 86

Footnote 87

Cabinet Social Policy Committee, supra note 69, at 11.

Return to footnote 87

Footnote 88

These regulations are to be made under the authority of s. 213 of the Privacy Act 2020, supra note 68.

Return to footnote 88

Footnote 89

Privacy Act 2020, supra note 68, s. 213(2).

Return to footnote 89

Footnote 90

Privacy Act 2020, supra note 68, IPP 12(1)(e).

Return to footnote 90

Footnote 91

Privacy Act 2020, supra note 68, s. 214(2).

Return to footnote 91

Footnote 92

Privacy Act 2020, supra note 68, s. 214(3).

Return to footnote 92

Footnote 93

Privacy Act 2020, supra note 68, s. 12(1)(f).

Return to footnote 93

Footnote 94

New Zealand Privacy Commissioner, “Expressions of interest sought–Privacy Bill 2020 -developing model contractual privacy clauses for cross border disclosures”, 11 May 2020.

Return to footnote 94

Footnote 95

New Zealand Privacy Commissioner Blog, “Privacy 2.0: Model contract clauses”, 11 May 2020.

Return to footnote 95

Footnote 96

Cabinet Social Policy Committee, supra note 69, at 11.

Return to footnote 96

Footnote 97

Ibid.

Return to footnote 97

Footnote 98

Ibid., at 11.

Return to footnote 98

Footnote 99

Ibid.

Return to footnote 99

Footnote 100

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42d Legislature, 1^st Sess. All references to Bill 64 in this document are to the new or modified provisions of An Act respecting the protection of personal information in the private sector proposed in the bill.

Return to footnote 100

Footnote 101

An Act respecting access to documents held by public bodies and the Protection of personal information, RSQ, c A-2.1.

Return to footnote 101

Footnote 102

All references to Bill 64 are to the new or modified provisions of An Act respecting the protection of personal information in the private sector created by the bill.

Return to footnote 102

Footnote 103

Note that a proposed s. 18.3 would allow for the contracting out of certain services involving personal data. It provides that appropriate contractual safeguards should be in place. However, s. 18.3 refers to this as a “communication” of personal data, and s. 17 applies to all communications of data outside of Quebec. Thus, although cross-border agency type relationships may be permissible, it seems they would still have to comply with the provisions set out in s. 17.

Return to footnote 103

Footnote 104

Bill 64, supra note 100, s. 17(1)-(4).

Return to footnote 104

Footnote 105

Ibid., s. 17.

Return to footnote 105

Footnote 106

Ibid., s. 17.

Return to footnote 106

Footnote 107

Ibid., s. 17. Some have questioned whether the Quebec government has properly taken into account the burden that would be imposed by the carrying out of such adequacy assessments. See: Éloïse Gratton, Elisa Henry, François Joli-Coeur, Max Jarvie, Andy Nagy, “Proposed amendments to Québec privacy law: Impact for businesses”, 15 June 2020.

Return to footnote 107

Footnote 108

Convention for the protection of individuals with regard to automatic processing of personal data (ETS No. 108, 28.01.1981).

Return to footnote 108

Footnote 109

These are: Argentina, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia and Uruguay.

Return to footnote 109

Footnote 110

Council of Europe, Committee of Ministers, Resolution 96(9) on Observer Status for Canada with the Council of Europe, Adopted by the Committee of Ministers on 3 April 1996, at the 562nd meeting of the Ministers' Deputies.

Return to footnote 110

Footnote 111

Alessandra Pierucci and Jean-Philippe Walter, “Better protecting individuals in the context of international data flows: the need for democratic and effective oversight of intelligence services”, Joint Statement, Strasbourg, 7 September 2020, Council of Europe.

Return to footnote 111

Footnote 112

Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, adopted by the Committee of Ministers at its 128^th Session, in Elsinore on 18 May 2018 [Convention 108+].

Return to footnote 112

Footnote 113

Pierucci & Walter, supra note 111 at 3, state that Convention 108+ “is set to become the international standard on privacy and data protection in the digital age, and represents a viable tool to facilitate international data transfers while guaranteeing an appropriate level of protection for people globally.”

Return to footnote 113

Footnote 114