Bill C-11’s Treatment of Cross-Border Transfers of Personal Information

By Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa

May 2021

Introduction

In our digital and data economy, personal data increasingly flows across national borders. The free flow of data has become an important international trade objective;^{Footnote 1} at the same time, the protection of personal data as it flows into other jurisdictions is a growing concern of domestic data protection laws. This is certainly the case in the European Union, where the General Data Protection Regulation^{Footnote 2} has put in place a series of strong measures to protect the personal data of EU residents, whether it is located in an EU country or sent abroad. According to the GDPR, the personal data of EU residents cannot flow across borders unless measures are in place to ensure that it will receive an “adequate level of protection” to that available in the EU.^{Footnote 3} This includes an adequate level of protection when it comes to access to personal data by law enforcement and national security authorities. This past summer, the European Court of Justice ruled that the level of access of US national security officials to the data of EU residents that flowed into the United States, combined with a lack of effective recourse for EU residents, meant that data transfers could no longer be supported under the EU-US Privacy Shield measures implemented to facilitate the free flow of data.^{Footnote 4}

The EU is not the only jurisdiction to address transborder data flows, although it has perhaps been the most assertive in doing so. Countries such as Australia and New Zealand, for example, specifically provide for the protection of the personal data of their residents when it flows outside the country.^{Footnote 5} New Zealand has in fact just carefully reworked its scheme as part of a new law that took effect in December 2020.^{Footnote 6} The Quebec government, in its recent Bill to amend its public and private sector data protection laws also imposes specific obligations on organizations to protect the personal data of Quebec residents when it flows outside that province.^{Footnote 7} While each of these jurisdictions adopts its own approach, what is shared by all is the explicit acknowledgement of the importance of the issue, and the articulation of rules specific to the transborder context.

On November 17, 2020, Bill C-11, titled the Digital Charter Implementation Act^{Footnote 8} was tabled in Parliament. This Bill represents a major revision to the Personal Information Protection and Electronic Documents Act (PIPEDA).^{Footnote 9} It provides for two new laws: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act. This paper will focus on the way in which Bill C-11 addresses, in the CPPA portion of the bill, the protection of the personal data of Canadians when it flows across international borders in the private sector context. This paper will identify key provisions of the CPPA that relate to cross-border data transfers.^{Footnote 10} It will offer a critical analysis of the extent to which these provisions protect privacy in the context of international flows of personal information. It will identify potential gaps in the proposed framework and will indicate areas where the privacy of individuals may be placed at risk. Where relevant, the analysis takes into account comparable measures in jurisdictions such as Europe, Australia, New Zealand and Quebec, as well in the Modernised Convention for the Protection of Individuals with Regard to the Processing Personal Data (Convention 108+).^{Footnote 11} Drawing upon this comparative analysis, the paper presents recommendations for how Bill C-11 could be enhanced to better protect privacy in the context of international transfers.

Framework

This paper adopts a framework based upon four key elements that must be addressed by any scheme for the protection of personal data in transborder data flows.

In the first place, it is necessary to define to whom the obligations will apply and in what circumstances. Not all flows of data across borders will necessarily be captured. Some schemes might address only transfers of data for specific purposes. PIPEDA, for example, refers only to transfers for processing. This reflects the more conventional model of transborder data flows – the outsourcing of data for processing. However, in the contemporary data environment, personal data may flow across borders for a broad range of purposes and in very different ways. For example, an organization may store its data in the cloud. It may make use of offshore customer service centres. It may use cloud-based software services in its operations with the result that some personal data is processed in the cloud. Organizations may rely upon offshore service providers for the collection of personal information. Canadian-based organizations and their offshore affiliates may also have a variety of relationships that impact how services are delivered to customers. A data protection law must therefore clearly identify those activities and actors to which it will apply.

A second consideration is that the law must identify who is accountable for the personal data that flows across borders and in what circumstances. Accountability can lie with the primary organization, or it may lie with the service provider. In some cases, it might be appropriate to situate accountability with one rather than the other. Accountability – and clarity about where it will lie – is important since individuals must be able to determine who they can hold to account – and under what legislative regime – if there are data protection issues.

A third consideration is the identification of the conditions that must be met before personal data can flow across borders. These may include the notice to be provided to data subjects, the level of protection required, as well as the safeguards and measures that must be in place before data can flow. Some jurisdictions, such as the EU provide a broad range of options to enable organizations to meet these obligations. For example, these can include standard contractual clauses, model contractual clauses, or binding corporate rules.^{Footnote 12}

A fourth consideration is how to address the adequacy of the destination state’s privacy regime. Adequacy is essentially a determination that the destination country has a data protection regime in place that offers a level of protection to personal data that meets the standard set by the law in the country from which data is transferred. Adequacy can be assessed according to different standards (e.g., “substantially similar”, or “equivalent”). Adequacy can be important even if there is a contractual agreement in place, and even if the domestic organization remains accountable for the data. Adequacy is significant for two reasons. One is that there may be circumstances in which the offshore service provider is considered accountable.^{Footnote 13} In such cases, their accountability may be under their domestic laws. A second reason is that many states allow access to the personal data of non-residents by law enforcement or national security authorities. Adequacy does not necessarily require that such access be prohibited; but it may well require that there be some recourse for Canadian residents should they choose to exercise it. This is something that not even the best drafted contract can address. Legislation can provide that an assessment of the adequacy of the legal system in place in the country to which data flows must be carried out by the accountable organization,^{Footnote 14} or at a state-to-state level.^{Footnote 15}

These four considerations provide the framework for the analysis that follows of the provisions of Bill C-11 that address cross-border flows of personal data.

Context

Before beginning the analysis of Bill C-11’s provisions, it is important to provide a brief summary of how PIPEDA currently addresses cross-border data flows.

PIPEDA contains no specific provisions with respect to cross-border data flows, notwithstanding the fact that the outsourcing of data for processing was a known practice at the time.

Although PIPEDA says nothing explicitly about cross-border data flows, it does contain a clause in Schedule 1 that deals in general terms with transfers of data “to a third party for processing.” Clause 4.1.3, under the heading of “Accountability,” reads:

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

The clause makes it clear that transfers are permissible, and that the transferring organization is accountable for the personal data when it is in the hands of the entity to which it is transferred. It also places an onus on the transferor to ensure that the information receives a comparable level of protection in the hands of the transferee – by using contracts, for example. But this clause addresses only transfers for processing and not the myriad other types of data flows. Further, nothing in the law specifically addresses cross-border contexts; nothing addresses the vulnerability of data to access by the law enforcement or national security officials of overseas governments; and nothing provides an opportunity to assess and evaluate the adequacy of the data protection regimes in countries to which data is transferred.

The bare-bones nature of Clause 4.1.3 combined with the growing frequency and importance of cross-border data flows led the Office of the Privacy Commissioner of Canada (OPC) to issue Guidelines for processing personal data across borders in 2009^{Footnote 16} that explained how the OPC would interpret and apply this clause. It is, for example, these Guidelines (and not Clause 4.1.3) that clarify that the clause is interpreted to apply to domestic as well as cross-border data transfers.^{Footnote 17} The Guidelines also clarify that Canada had adopted an “organization to organization” approach rather than one that focused on the adequacy of the legal regime in the country of transfer.^{Footnote 18} Under the organizational approach, the company transferring the data remains accountable for it, should it be misused or mishandled by the transferee.^{Footnote 19} Although the Guidelines help clarify the rules in place, Clause 4.1.3 remained rooted in its moment in time. It is framed around the concept of transfers of data for processing in a way that no longer captures the full range of reasons or ways in which data now flows across borders.

The government had a number of options when it came to addressing cross-border data transfers in Bill C-11. Not only has the EU comprehensively addressed the issue in the GDPR, but comparable jurisdictions such as Australia and New Zealand have already tackled this complex issue and have developed their own schemes to protect the personal data of residents when it flows outside the country. The Government of Quebec has also introduced provisions in its Bill 64^{Footnote 20} – legislation to amend both public and private sector data protection laws in Quebec – that deal with cross-border data flows.

Appendix 3 to this paper provides a detailed overview of how these privacy regimes protect the personal data of individuals in the context of cross-border data flows.

The federal government is clearly aware of the significance of cross-border data flows. The revised language of section 5 of Bill C-11, which sets out the law’s purpose, reprises the purpose statement from PIPEDA, but adds language that identifies the current context as “an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information.” Paragraph 6(2)(a) of Bill C-11, which sets out the scope of application of the bill, also makes it clear that it will apply to personal information “that is collected, used or disclosed interprovincially or internationally by an organization.”

The discussion below examines how Bill C-11 addresses cross-border data flows, using the four questions identified above to frame the analysis.

Analysis

1. To whom obligations will apply and in what circumstances

The question of to whom any obligations regarding cross-border data flows will apply – and in what circumstances they will be applicable – are truly core questions for any legislation designed to deal with this issue. As noted above, PIPEDA adopts a relatively bare-bones approach, applying only to transfers for processing, and providing for the accountability of the transferring organization. The CPPA somewhat obliquely recognizes a more complex context for cross-border transfers and goes beyond what is provided for in PIPEDA. However, it does not deal with cross-border data flows in a specific part of the legislation. Nothing distinguishes cross-border data flows from those in the domestic context. This is problematic. In the first place, the cross-border context raises distinct issues around such things as adequacy and accountability. Secondly, as the CPPA currently stands, those engaging in cross-border activities must follow a breadcrumb trail through the statute to identify the rules applicable to this context. Given the particular vulnerability of Canadians when their personal information flows across borders, this patchwork/guesswork approach is not appropriate.

As discussed earlier, personal data may now flow across borders in ways and for uses that go beyond traditional transfers for processing. Cloud-based services have, for example, changed these dynamics, and there are ways in which the provision of these services can lead to new collection and use of personal information by service providers. For example, a company providing offshore customer services may be collecting data about how those services are provided. This may include the personal data of its clients’ customers, and this data may be used by the offshore organization for its own analytics or internal purposes.

In the EU, the GDPR sets rules for the cross-border transfer of data “which are undergoing processing or are intended for processing after transfer to a third country.”^{Footnote 21} The cross-border data flow provisions are based upon the controller-processor relationship which is defined in the legislation. A “controller” is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data […].”^{Footnote 22} The equivalent concept under both PIPEDA and C-11 is an “organization,” which is defined in both laws as including “an association, a partnership, a person or a trade union.”^{Footnote 23} Note that the CPPA definition is general and does not specify the role of the organization with respect to data in the same way that “controller” does.^{Footnote 24} In a regime that places accountability primarily on the shoulders of the controlling organization and that recognizes principal and subordinate roles, it is unfortunate that the CPPA does not more clearly link organizations to their roles with respect to data.

A “processor” is defined in the GDPR as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”^{Footnote 25} Processing is broadly defined as:

[…] any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.^{Footnote 26}

Under the CPPA, organizations are accountable for their relationships, not with ‘processors’, but with “service providers.” The Canadian version of the “controller-processor” relationship, is therefore the “organization-service provider” relationship.^{Footnote 27} Although the relationships have some rough equivalence, there are differences that may be significant.

A service provider is defined in section 2:

service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.

The definition of a service provider identifies it as an “organization”^{Footnote 28} which, as noted above, is separately defined in the CPPA as including “an association, a partnership, a person or a trade union.”^{Footnote 29} According to the definition of “service provider” an organization that is a service provider can include “a parent corporation, subsidiary, affiliate, contractor or subcontractor.”

The definition of “service provider” in Bill C-11 is notably different from the GDPR definition of a “processor” in that the GDPR definition specifically links the processor to actions “performed on personal data or on sets of personal data.” Thus, although the GDPR definition of a processor is broad and inclusive, it is expressly tied to the processor’s role in relation to personal data. The definition of “service provider” in the CPPA is not. A service provider is a body “that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.” There is no obvious reason for the definition to be this general. While the CPPA is obviously a data protection statute, the definition of ‘service provider’ should nonetheless address service providers that provide services related to personal information or data sets containing personal information. Perhaps more importantly, a clear description of the entity’s role with respect to data (as opposed to with respect to another organization) could make it clearer how a service provider (processor) can, with respect to some functions, become subject to the obligations of an organization (controller).

The law is silent as to the geographic location of service providers, so presumably they can be within Canada or in another country.^{Footnote 30} Therefore, any obligations or accountability in relation to service providers in the CPPA will apply to those within or outside Canada unless otherwise specified. Nevertheless, the fact that service providers may be situated within or outside Canada should be expressly stated somewhere in the legislation – and the definition would be a likely place for this.^{Footnote 31} The CPPA in some cases imposes direct obligations on service providers,^{Footnote 32} and the intent to have extraterritorial application should be manifest.

The definition of service provider is broad. A service provider “provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.” Basically, where any entity assists an organization in fulfilling its purposes, that second entity is a “service provider.” Those services could include the processing of data or its storage. One can assume, therefore, that cloud storage providers are service providers, as are providers of cloud-based business services.

“Service provider” includes entities that collect personal data on behalf of organizations.^{Footnote 33} This goes well beyond PIPEDA’s narrower paradigm of transfers for processing. For example, an organization in Canada might seek the services of an offshore company to collect data about Canadians from social media sites, or might use the services of offshore data brokers. It might simply use the services of an offshore company to facilitate some of its operations – such as making restaurant reservations that involve collecting personal information, for example. In those instances, the offshore companies would seem to be service providers in that they are assisting the organization in fulfilling its purposes, assuming its purposes include collecting that kind of data.

The reference in the definition of service provider to a “contractor or subcontractor” raises some questions. An organization (controller) would clearly have a contractual relationship with a contractor (service provider). However, if the service provider sub-contracts any of the data-related tasks, the relationship between the organization/controller and the sub-contractor is unclear. One approach would be to interpret the law’s inclusion of “sub-contractor” in the definition of ‘service provider’ as creating a relationship in law – in other words, it makes the organization/controller accountable for what happens to the personal data in the hands of the sub-contractor. If this is the case, then the service provider should not be able, independently, to sub-contract out processing functions without the consent of the organization/controller. For example, article 28(2) of the GDPR makes it clear that a “processor shall not engage another processor without prior specific or general written authorisation of the controller.” Article 29 makes it clear that in a sub-contracting relationship, the controller remains ultimately in control of and accountable for the data. These relationships should be clarified in the CPPA.

Overall, it would appear that the “service provider” definition in Bill C-11 is meant to have a similar breadth to the GDPR’s definition of “processing” (and hence a scope similar to that of “processor”). This is reinforced by subsection 7(2), which refers to the collection, use or disclosure of personal data by a service provider on behalf of an organization. However, it should be noted that there are subtle shifts in vocabulary in the disparate provisions that can be applied to cross border data flows that may create some level of confusion. Paragraph 62(2)(d) refers to international “transfer or disclosure” in establishing a transparency requirement but does not mention collection. Subsection 11(1) requires organizations to protect personal information by contracts with service providers when data is transferred to them, but does not mention when it is collected by service providers on their behalf. Subsection 11(2) refers to “uses or disclosures” by service providers of transferred information, but not information collected on the organization’s behalf. Each of these formulations is narrower than the collection, use or disclosure of personal data by a service provider on behalf of an organization that is described in subsection 7(2).

The CPPA’s approach to cross-border data flows – and in particular the broadening of its scope of application to include not just transfers but also other data-related services including the collection of data, situated within the contemporary data environment, mean that these provisions will have a broader impact. More specifically, while PIPEDA’s “transfer for processing” paradigm tended predominantly to affect large companies, many small and medium sized enterprises currently use offshore services to process customer data in one form or another. These cross-border flows can include the use of cloud-based software and app-based services, cloud storage of data, and the collection and processing of data for marketing or other purposes. It is therefore more important than ever that the cross-border data provisions be clear, accessible, and sufficiently detailed to protect personal data while facilitating compliance and reducing uncertainty. As a result, it is recommended that they be addressed in a specific dedicated section of the statute, and that ambiguities be clarified.

2. Who is accountable?

The issue of accountability is intimately tied to how the principal actors are defined. Under PIPEDA, organizations are accountable for data they transfer to another organization for processing. This general approach is maintained in the CPPA, although the definition of service provider extends the bill’s application beyond transfers for processing.

As a first principle, under the CPPA, an organization (controller) is accountable for the information under its control.^{Footnote 34} Subsection 7(2) provides that information is under the control of an organization when it “decides to collect it” and “determines the purposes for its collection, use or disclosure.” This will be the case “regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.”^{Footnote 35} Thus, accountability is squarely placed on the shoulders of the organization that initiates the process of collection, use or disclosure of personal data. The nature of this accountability – at least in the context of data transfers^{Footnote 36} – is elaborated upon in subsection 11(1) which requires the organization to ensure “by contract or otherwise” that the service provider to which data is transferred will provide “substantially the same protection of the personal information as that which the organization is required to provide under this Act.”

In this context, the service provider is exempt from direct accountability under the CPPA for the personal information that it handles on behalf of the organization. However, a service-provider will be directly accountable under subsection 11(2) if it “collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred.”^{Footnote 37} This presumably includes accountability for any improper activities by the service-provider with respect to the data, although there would likely be joint accountability in such circumstances. It would likely also capture circumstances where the service provider uses the data for its own purposes. For example, a service provider may offer cloud-based client services to an organization’s customers. In doing so, it may collect data about interactions with customers for its own business purposes. It would presumably be directly accountable under the CPPA for this second category of data. However, it is not clear what rules would govern its obligations to provide notice of its collection or use. A service-provider might well decide to avail itself of the exception in paragraph 18(2)(e), which allows an organization to dispense with notice and consent where there is no direct relationship with the individual. This weakens transparency in this relationship and makes it much more difficult for individuals to hold offshore service providers to account. As to the mechanics of how they might be held to account, individuals theoretically could file complaints (although their ability to do so would be hampered by the lack of a direct relationship and possible lack of notice and consent), and a real and substantial connection with Canada would presumably need to be found in the circumstances.^{Footnote 38}

This interpretation of subsection 11(2), which would find a service provider accountable for information it directly collects, uses or discloses in the course of its relationship with the customers of the organization/controller, is, however, cast in some doubt by the way that it is worded. Subsection 11(2) provides that a service-provider will be accountable if it “collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred.”^{Footnote 39} The provision seems to refer to the information that was transferred to the service provider by the organization, yet subsection 7(2) indicates that information may be collected, used or disclosed by a service provider on behalf of an organization. Data collected by a service provider on behalf of an organization is not “transferred” to it in any ordinary sense of that term. Neither is data collected by the service provider for its own purposes. Thus, given both the contemporary data context and the wording of subsection 7(2), subsection 11(2) should clearly refer to personal data that a service provider collects, uses or discloses as a result of its relationship with the customers of the organization/controller. As it is currently worded, for example, subsection 11(2) might not capture the circumstances of the Equifax Canada case, where Equifax Canada directed its customers into a relationship with U.S.-based Equifax Inc. which resulted in the collection of their personal data by the U.S. company.^{Footnote 40}

It may be that 11(2), as worded simply does not capture what it was intended to capture. For example, an offshore service provider such as a call centre may have access to the personal data held by the organization; it may also collect additional personal data for its own purposes (e.g., voice recordings for audit, review, or employee assessment purposes). This separate collection would appear not to be captured by subsection 11(2). Subsection 11(2) also does not address the case of an offshore service provider retained to collect data on behalf of an organization. The offshore provider in these circumstances seems to be treated as an ‘organization’ and not a service provider, but subsection 11(2) only explicitly makes service providers accountable in relation to transfers of data and their independent use of the transferred data. This means that service providers collecting data on their own behalf would most likely be accountable for this data on the basis of the ‘real and substantial connection’ test. The CPPA should clearly set out the accountability of service providers for the data they collect and use on their own initiative and for their own purposes to relieve affected individuals of the burden of establishing a real and substantial connection before a court will assume jurisdiction.

To the extent that subsection 11(2) makes offshore service providers directly accountable for the information they collect and use independently of their arrangement with the organization/controller, this may be less than ideal for the protection of individuals.^{Footnote 41} One alternative is to require that any data collection or use carried out by the service provider for its own purposes be governed by its contractual arrangements with the organization/controller – with accountability remaining with the organization/controller. Alternatively, as will be discussed below, another option is to ensure that the service provider is subject to a substantially similar data protection regime.

The accountability approach raises interesting issues when it comes to service providers who collect personal information on behalf of an organization. In such circumstances, accountability would seem to require that the organization ensure that the collection take place in a manner that is consistent with Canadian law.^{Footnote 42} It is unclear whether there is a distinction between a service provider who is specifically mandated to collect information on behalf of an organization, and a service provider who collects information generally and will provide it to an organization at the organization’s request (such as, for example, a data broker, or a provider of facial recognition services). In the latter case, the accountability approach seems to make the organization responsible for the manner in which the service provider collects the information – even though that information may be collected prior to the relationship between the organization and the service provider. Such collection would have to be consistent with Canadian law – even if the service provider is complying with their own domestic legal requirements. This might mean that a Canadian organization would need to consider whether an offshore service provider’s practices are consistent with Canadian law before contracting with them for the collection of personal data. This is another area where a requirement of substantial similarity of the data protection regime in the service provider’s country would provide better protection for Canadians.

An organization’s act of transferring data to a service provider is exempted from the requirements of knowledge or consent under section 19 of the CPPA. This means that an organization is not required to inform its customers that personal data are outsourced for processing, nor is consent of those customers required for such activities. The organization remains accountable for what happens to the personal data (except, presumably, where the service provider uses the information for its own purposes). It is important to note, however, that the exception to the requirement of knowledge or consent applies only to transfers of data to service providers. Presumably, an organization that hires a service provider to collect data on its behalf and to do anything with that collected data, would still be required to provide notice and obtain consent for that collection (unless it otherwise falls within one of the exceptions to knowledge and consent).^{Footnote 43} This should be explicit. As it currently stands, it is not clear if this distinction was intended or whether it results indirectly from the choice of vocabulary.

Where a transfer has taken place, there is also a new obligation in the CPPA that would require an organization to communicate any request by an individual for the erasure of their personal data to the service provider.^{Footnote 44} In such circumstances, the organization is also responsible for obtaining confirmation that the service provider has “disposed of” the data.

Although organizations remain primarily accountable for the information they collect or use via service providers, there are some obligations placed directly and explicitly on service providers under the legislation. Under section 61, service providers – whether as transferees or as more directly engaged actors – have an obligation to report any breach of security safeguards involving personal information to “the organization that controls the personal information.”^{Footnote 45} The obligation is to notify them “as soon as possible.”^{Footnote 46} This raises some interesting extraterritoriality issues in cases where the service provider is located in another jurisdiction. It is not clear that the provision of services to an organization in Canada that remains accountable for the personal data would otherwise bring a service provider under the scope of the CPPA. PIPEDA has been found to apply to offshore organizations where there is a “real and substantial connection” to Canada – generally this has been found in cases where there is some direct interaction with Canadians (collecting their data or providing services to them).^{Footnote 47} It has not yet been found to exist where a service provider has provided services to an organization in Canada that itself remains directly accountable under PIPEDA for the data. Specific obligations under the CPPA such as breach notification are different in that the law directly imposes reporting obligations on offshore service providers. If one assumes that service providers can be offshore entities (something that is never made explicit in the CPPA), then section 61 would seem to have explicit extraterritorial effect. Presumably the organization, in its contract with the service-provider, will include a requirement to notify them of any breach of security safeguards – especially since organizations are required to provide breach notification with respect to information under their control – and the information is considered to remain under their control in relationships with service providers. What is unclear is the extent to which an offshore service provider will be meaningfully subject to any separate accountability under the CPPA for breach of their specific obligation under section 61.

3. What conditions must be met before the data can flow across borders?

Although the scope of the legal obligations relating to cross-border data flows may have changed, as noted above, accountability remains—for the most part—with organizations. Their compliance with the obligations in the CPPA will largely depend on them having put in place contractual arrangements that ensure that service providers offer “substantially the same protection of the personal information as that which the organization is required to provide under this Act.” Under PIPEDA, clause 4.1.3 refers to a “comparable” level of protection. “Substantially the same” appears, at least on its face, to be a more stringent standard than “comparable.”^{Footnote 48} The more stringent standard suggests that guidance should be provided as to what elements must be addressed and how in contractual arrangements. The GDPR provides a number of options in this regard, including standard contractual clauses and binding corporate rules.^{Footnote 49} Quebec’s Bill 64 provides a list of factors that organizations must take into account in assessing whether an equivalent level of protection is available in the service provider’s jurisdiction.^{Footnote 50} In Australia, the Office of the Australian Information Commissioner provides a list of considerations for contractual arrangements, as well as a list of factors that it will take into account in assessing whether reasonable steps have been taken to ensure an appropriate level of protection for personal information in the hands of an offshore service provider.^{Footnote 51}

Where data is transferred to a service provider, subsection 11(1) provides that the organization must ensure this required level of protection “by contract or otherwise.” Under PIPEDA, contracts were the primary means by which cross-border data transfers were governed, and it seems that the CPPA intends that they will be the principal means as well. It is not immediately clear what “or otherwise” might include.

It is possible that “or otherwise” is an oblique reference to the provisions regarding Codes of Practice and Certification Programs, which might be meant to have some application in this context. These provisions (sections 76-81 of Bill C-11) refer to an “entity,” which is defined as “any organization, regardless of whether it is an organization to which this Act applies, or a government institution.” It is not clear whether this includes entities outside of Canada (i.e., an organization to which the Act does not apply). Certainly, offshore entities are not expressly excluded by the wording of the legislation.

The CPPA allows such an entity “to apply to the Commissioner for approval of a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act.”^{Footnote 52} An entity may also apply to the Commissioner for approval of a certification program that is based upon a code of practice, and that provides for oversight and disciplinary measures.^{Footnote 53} Details of requirements for certification programs are to be set out in regulations.^{Footnote 54} These regulations should provide clear and precise guidance as to what must be included. Conceivably, therefore, a Canadian entity or an offshore entity could create a code of practice and certification program for eligible “service providers”, and the Commissioner could approve the Code and the certification program. If this happened, then an organization subject to the CPPA could presumably transfer data outside of the country to a service provider that was certified under such a scheme. By doing so, it would ensure “by contract or otherwise” substantially the same level of protection.

If, in fact, the code of practice and certification provisions can be used in this way then this creates a second option for compliance with the obligations imposed on organizations that transfer data for processing. The first option is to ensure substantial compliance by contract, the second is to use a service provider who is certified in accordance with section 77.

It should be noted that other regimes provide for a range of mechanisms to assist organizations in meeting data protection obligations when personal information flows across borders. These can include: standard contractual clauses (GDPR^{Footnote 55}); model contractual clauses (New Zealand^{Footnote 56}); a list of considerations for contractual clauses (Australia^{Footnote 57}); binding corporate rules (GDPR,^{Footnote 58} Australia^{Footnote 59}); prescribed binding schemes (Australia^{Footnote 60}; New Zealand^{Footnote 61}); or a list of statutory factors for assessment (Quebec^{Footnote 62}). Other jurisdictions also require organizations to have a reasonable basis for believing^{Footnote 63} that the foreign regime meets the prescribed level of adequacy. Quebec’s Bill 64 requires organizations to conduct an assessment according to prescribed factors, and the assessment must establish that the information would “receive protection equivalent to that afforded under this Act.”^{Footnote 64}

Convention 108+ is an interesting and important international data protection convention which Canada should consider joining.^{Footnote 65} Among other things, Convention 108+ addresses cross border data transfers. One provision of Convention 108+ on this subject is not addressed in any way in the CPPA. This relates to requirements of demonstrable accountability and specific remedies: Article 14(6) reads:

Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to condition.^{Footnote 66}

Given the significant vulnerabilities that may be experienced by individuals when their data flows across national borders, these additional safeguards should be added to the CPPA.

4. Whether and how to address the adequacy of the destination state’s privacy regime

When personal information is transferred to an offshore service provider, this may entail new risks. As noted earlier, the new realities of cross-border data flows also mean that service providers may well be collecting and using personal information for their own purposes. In the EU, the provisions regarding offshore processing of personal data are premised upon the data receiving an adequate level of protection. Because the CPPA acknowledges that service providers may independently collect and use personal information, and because they would seem to be directly accountable for such collection and use, the adequacy of the legal regime in the service provider’s country takes on direct importance. Under the GDPR, there are a number of ways that adequacy requirements can be met, beginning with an EU-level assessment of the adequacy of the destination country’s data protection regime. Canada has clearly opted not to go this route. Instead, the CPPA’s primary obligation on organizations is to ensure that the service provider can provide a level of protection for the personal data that is substantially the same. This will have to be done through contracts since no other mechanisms are provided for in the CPPA. However, a contract to protect transferred data is different from protection for data independently collected and used by the service provider. As noted above, Codes of Practice and Certification Programs provided for in sections 76-81 of the CPPA, may offer an option similar to the GDPR’s approved sectoral codes and certification mechanisms. However, it is not a clear requirement in the CPPA that this level of protection be present where the service provider collects and uses data for their own purposes. New Zealand’s new Privacy Act 2020^{Footnote 67} offers a good example of how this can be done. Where personal information is used for a service provider’s own purposes, the controller must have “reasonable grounds” to believe that the service provider is subject to privacy laws that provide “comparable safeguards” to New Zealand’s legislation.^{Footnote 68} Alternatively, the service provider must be part of a prescribed binding scheme, or in a country that has been found to provide comparable safeguards.^{Footnote 69} A further alternative is to put in place a contractual arrangement that provides comparable safeguards.^{Footnote 70}

As noted earlier, the general rule with respect to transfers of data to service providers under the CPPA is that the organization is not required to provide either notice or consent with respect to such practices. Subsection 62(1) and paragraph 62(2)(d) suggest that the obligation is slightly different where data is transferred to a service provider outside of the province or the country. These provisions read:

62 (1) An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.

(2) In fulfilling its obligation under subsection (1), an organization must make the following information available:

(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;

The organization is obliged to provide plain language information regarding its policies and practices regarding “whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications.”^{Footnote 71} This could be read as a requirement to provide notice of any transfer or disclosure that has reasonably foreseeable privacy implications. However, the phrasing “whether or not” (in the French version “qu’elle effectue ou non”) suggests that the intention might be to require organizations also to make some sort of affirmative statement to the effect that they believe that their cross-border data transfers or disclosures of personal information have no reasonably foreseeable privacy implications. Nevertheless, it is unclear whether this is a use of the redundant form of ‘whether or not’, and therefore actually means “whether”, or if it is an obligation to specifically address cross-border transfers and to state their presumed impact. This requires clarification.

A further issue is what “reasonably foreseeable privacy implications” means. Presumably all of the measures that are put in place by an organization are to ensure that there will be no privacy implications where data is transferred to a service provider. The “reasonably foreseeable privacy implications” therefore must be a euphemism for additional risks that flow as a result of the laws of the country of processing. These effects can be that those laws will apply to any independent collection, use and disclosure of personal information by the offshore organization, and that Canadians will have to seek recourse under those laws, which may not offer the same level of protection. It may also be that the personal information of Canadians will be subject to access by state authorities in the service provider’s country without adequate recourse for Canadians. Currently, through guidance, the Commissioner requires organizations to provide specific notice of risks related to cross-border transfers with respect to access to the data by state authorities.^{Footnote 72} It is to be noted that the language of paragraph 62(2)(d) reflects an explicit choice not to pursue the route of requiring organizations to ensure that there is an adequate level of protection – including with respect to state access to data – in the destination country. This leaves Canadians vulnerable. Even if the CPPA does not contain a state-level adequacy regime, organizations that engage offshore service providers in the collection, use or disclosure of personal data of Canadians should bear some responsibility for assessing the adequacy of the data protection regime in the country of destination.

Finally, the obligation in paragraph 62(2)(d) seems simply to make information available as to “whether or not” cross border transfers take place and “whether or not” they may have reasonably foreseeable privacy implications. If there are reasonably foreseeable privacy implications, true transparency would require that considerably more information be provided, including the country or countries in which service providers are located. Further, if service providers are to engage directly in the collection and use of personal data, the identity of those service providers should be disclosed, as well as information about the possibility that the service provider engages in these activities and that the service provider, and not the organization, is considered to be accountable for data in these circumstances.

The inclusion of “interprovincial” in paragraph 62(2)(d) is odd, since the focus of this provisions seems clearly to be on the data protection regimes of foreign countries. Another province will either be bound by the CPPA, or by a private sector data protection law that has been found to be substantially similar to the CPPA. Any law enforcement or national security access to the data will presumably be the same as that which can occur under PIPEDA. Unless there is a reason to include ‘interprovincial’ in paragraph 62(2)(d) – and any such reason should be clear – it muddies the waters and should be removed.

Recommendations:

Recommendation 1:

The significance and complexity of cross-border data flows and the growing involvement of small and medium sized enterprises is such that they must be addressed in a specific dedicated section of the statute so that rights and obligations are clear and accessible. This will also serve to make express the fact that the law applies to cross-border data flows. Such a section should contain a version of s. 11 of CPPA reworked to specifically address the context of cross-border transfers.

Recommendation 2:

The changing nature of cross border data flows requires language that clearly reflects these changes. It is therefore recommended that the terms used to describe the actors in cross-border data flows be clear and distinct, and that they be directly related to roles/responsibilities with respect to personal data. This approach will inherently recognize that, for example, an organization may be a processor for some functions and a controller for others.

Recommendation 3:

The CPPA is meant to apply to a broad range of actions (collection, use and disclosure) with respect to data by both organizations and service providers. Some provisions, however, use the terms “transfer” and “transferred data” which do not adequately reflect this broad scope. As a result, there is uncertainty as to the application of these provisions in some circumstances. These provisions should be reviewed and reworded. See, in particular: s. 7(2), s. 11(1), s. 11(2), s. 19, s. 62(2)(d).

Recommendation 4:

The definition of “service provider” expressly contemplates sub-contracting. The law should make it clear that in a sub-contracting situation, the organization/controller remains ultimately accountable for the personal data.

If organizations are meant to be accountable for what happens to personal data in the hands of a subcontractor, the CPPA should provide that a contractor cannot subcontract personal data services without the consent of the organization/controller.

Recommendation 5:

Offshore service providers should not be able to avail themselves of the “business activities” exception to notice and consent in paragraph 18(2)(e) when they engage in the collection and use of data on their own behalf.

Recommendation 6:

Currently, s. 11(1) of the CPPA places an onus on organizations transferring data to service providers to ensure appropriate protection “by contract or otherwise.” Specific tools should be enumerated in the legislation to enable organizations to ensure that “substantially the same protection of personal information” is provided for in contracts involving cross-border transfers of data. These should include standard contractual clauses prescribed by regulations, or non-mandatory contractual clauses developed by the OPC in consultation with stakeholders. Another option is a list of considerations that must be taken into account in drafting contractual clauses.

Nothing in the CPPA is specific as to what “or otherwise” in s. 11(1) might entail. The CPPA should be amended to clearly state that the Codes of Practice and Certification Program provisions can be used to establish “substantially the same protection of personal information” in the context of cross-border data flows. In addition, the law should include options that respond to the reference to “or otherwise,” such as binding corporate rules or schemes.

Recommendation 7:

Currently subsection 11(2) provides that service providers are directly accountable under the CPPA for any of the transferred personal information that the service provider collects, uses, or discloses for its own purposes. This accountability should not be limited to information that is transferred to it, but should also include information that it collects, uses and discloses on its own account in relation to the customers of the organization.

Section 11 should be amended to make it clear that service providers must provide substantially the same protection as the organization is required to provide for all personal information under their control, whether it is transferred to the service provider by the organization or whether the service provider collects, uses or discloses it on behalf of the organization.

Recommendation 8:

The CPPA contemplates that a service provider may collect personal information on behalf of an organization. It should be amended to clarify that where service providers provide information to organizations that may have been collected by the service provider prior to the particular relationship, the organization must ensure that the information was collected in a manner consistent with Canadian data protection law.

Recommendation 9:

Section 61 imposes an obligation on service providers to give notice of data breaches to organization-controllers. In the case of offshore service providers, it is not clear how this obligation is enforceable. The CPPA should be amended to provide that in the case of offshore providers, the obligation to provide notice to the organization/controller must be part of their contractual arrangements.

Recommendation 10:

The ‘transparency’ requirement in paragraph 62(2)(d) is currently inadequate. It should be amended to achieve the following:

The ambiguity around the phrase “whether or not” should be corrected, as well as the uncertainty around what acts have “reasonably foreseeable privacy implications.”
Organizations should be required to provide information about whether they carry out any international transfer or disclosure of personal information, and to provide sufficient details about these activities to enable individuals to understand the implications for their rights and to hold organizations and/or service providers to account. This should include the country or countries in which service providers are located.
Organizations should be required to provide specific notice of any risks regarding access to personal data by the authorities of the service provider’s country.
Where service providers collect and use data for their own purposes, organizations should be required to disclose the identity of the service provider as well as the fact that the service provider, and not the organization, is accountable for this personal data.

Recommendation 11:

Bill C-11 should include a provision that requires organizations to assess whether a contract with a service provider will maintain substantially the same protection as afforded by the CPPA, taking into account the legal data protection regime in place in the country of a service provider that will be collecting, using or disclosing personal data on their behalf.

Recommendation 12:

To enhance the protection of the rights of Canadians in the context of cross border data flows, to ensure that Canada meets the standards set in Convention 108+, and to permit Canada to accede to Convention 108+, the CPPA should be amended to provide that

The Commissioner may request an organization to demonstrate the effectiveness of any safeguards put in place to govern data transfers;
The Commissioner be specifically empowered to prohibit, suspend, or place conditions on, offshore transfers of data where substantially similar protection is not in place.

Footnotes

Footnote 1

See, for example, the digital trade provisions in Chapter 19 of the Canada-United States-Mexico Agreement (CUSMA), December 10, 2019.

Return to footnote 1

Footnote 2

(EU) 2016/679 [GDPR].

Return to footnote 2

Footnote 3

GDPR, Ibid., art 45(1).

Return to footnote 3

Footnote 4

Data Protection Commissioner v. Facebook Ireland Ltd., Maximillian Schrems (Case C-311/18).

Return to footnote 4

Footnote 5

See, e.g.: New Zealand, Privacy Act 2020, No. 31, Information Privacy Principle 12, “Disclosure of Personal Information Outside New Zealand”; Australia, Privacy Act 1988, No. 119, 1988, Information Privacy Principle 8, Schedule I, “Crossborder Disclosure of Personal Information.”

Return to footnote 5

Footnote 6

Privacy Act 2020, Ibid.

Return to footnote 6

Footnote 7

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42d Legislature, 1^st Sess. All references to Bill 64 in this document are to the new or modified provisions of An Act respecting the protection of personal information in the private sector proposed in the bill.

Return to footnote 7

Footnote 8

An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 43^rd Parl. 2d Sess., 69 Elizabeth II, 2020. [Bill C-11].

Return to footnote 8

Footnote 9

S.C. 2000, c. 5.

Return to footnote 9

Footnote 10

The text of each of the provisions of the CPPA discussed in this paper is found in Appendix I to this document.

Return to footnote 10

Footnote 11

Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, adopted by the Committee of Ministers at its 128^th Session, in Elsinore on 18 May 2018 [Convention 108+].

Return to footnote 11

Footnote 12

See, e.g., GDPR, supra note 2, art. 46(2).

Return to footnote 12

Footnote 13

An example of this would be where the offshore service provider also collects personal data for its own purposes.

Return to footnote 13

Footnote 14

This is the model adopted in Australia. See: Privacy Act 1988, supra note 5, Australian Privacy Principle 8, s. 8.2(a). See also New Zealand’s Privacy Act 2020, supra note 5, Information Privacy Principle 12(1)(c). Quebec’s Bill 64, supra note 7, provides in a proposed s. 17(4) that an organization must assess “the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec.” In addition to the option for an organization to assess the legal framework in place in a destination country, Quebec’s Bill 64 also leaves open the possibility for the Quebec government to involve itself in the assessment of the adequacy of other countries’ privacy frameworks (proposed art. 17.1).

Return to footnote 14

Footnote 15

This is the option chosen under the GDPR, supra note 2.

Return to footnote 15

Footnote 16

Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, January 2009.

Return to footnote 16

Footnote 17

Ibid.

Return to footnote 17

Footnote 18

Ibid.

Return to footnote 18

Footnote 19

Ibid.

Return to footnote 19

Footnote 20

Bill 64, supra note 7, proposed arts. 17 and 17.1.

Return to footnote 20

Footnote 21

GDPR, supra note 2, art. 44.

Return to footnote 21

Footnote 22

Ibid., art 4(7).

Return to footnote 22

Footnote 23

Personal Information Protection and Electronic Documents Act, S.C. 2005, s. 2 “organization” [PIPEDA]; Bill C-11, supra note 8, s. 2, “organization.”

Return to footnote 23

Footnote 24

See the discussion of this issue under “Who is accountable,” below.

Return to footnote 24

Footnote 25

GDPR, supra note 2, art 4(8).

Return to footnote 25

Footnote 26

GDPR, Ibid., art. 4(2).

Return to footnote 26

Footnote 27

Note that in its Guidelines for processing personal data across borders, supra note 16, the Office of the Privacy Commissioner has used the terms “processor” and “processing” since 2009 to describe activities related to the cross-border transfer of data for processing. Bill C-11 uses different language. This may be in part because the government seeks to signal that the scope of the obligation has changed from PIPEDA to Bill C-11 – that it is not just transfers for processing of the kind captured by PIPEDA that will be caught by Bill C-11, but a much broader range of data-related services.

Return to footnote 27

Footnote 28

The vocabulary used in the CPPA is challenging, particularly when it comes to what is understood as the controller-processor relationship. Under the CPPA, this is more or less the “organization” – “service provider” relationship, but neither term is defined in terms of roles with respect to data, and, in fact, the definition of “service provider” uses the term “organization.”

Return to footnote 28

Footnote 29

Bill C-11, supra note 8, s. 2.

Return to footnote 29

Footnote 30

This is supported by s. 62(2)(d) of Bill C-11, Ibid., which refers to organizations carrying out international transfers or disclosures of data.

Return to footnote 30

Footnote 31

The only suggestion in Bill C-11, Ibid., that a service provider might be offshore is indirect, and is found in s. 62(2)(d).

Return to footnote 31

Footnote 32

See, for example, Bill C-11, Ibid., s. 61.

Return to footnote 32

Footnote 33

This is reinforced to some extent by s. 7(2), which provides that “Personal information is under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.”

Return to footnote 33

Footnote 34

Bill C-11, supra note 8, s. 7(1).

Return to footnote 34

Footnote 35

Ibid., s. 7(2). My emphasis.

Return to footnote 35

Footnote 36

See the vocabulary issues identified above under “To whom obligations will apply and in what circumstances.”

Return to footnote 36

Footnote 37

Ibid., s. 11(2).

Return to footnote 37

Footnote 38

Note that this is one of the circumstances in which an adequacy assessment would be important, since accountability would lie with the offshore service provider. Even if held accountable under the CPPA, the likelihood of compliance will be influenced by the parameters set by the service provider’s own domestic data protection law.

Return to footnote 38

Footnote 39

Ibid., s. 11(2). My emphasis.

Return to footnote 39

Footnote 40

PIPEDA Report of Findings #2019-001, Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information, April 9, 2019.

Return to footnote 40

Footnote 41

Note that paragraph 18(2)(e) allows an organization to collect and use personal information without knowledge or consent where “obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.” This might enable the service provider to engage in the collection and use of personal information about its principal’s customers.

Return to footnote 41

Footnote 42

The alternative is to accept that organizations could evade Canadian law by engaging offshore companies to collect data that they would not themselves be able to collect, or by using methods of collection that would not be permitted under Canadian law.

Return to footnote 42

Footnote 43

See, e.g., Bill C-11, supra note 8, s. 18.

Return to footnote 43

Footnote 44

Ibid., s. 55(3).

Return to footnote 44

Footnote 45

Bill C-11, supra note 8, s. 61

Return to footnote 45

Footnote 46

Ibid.

Return to footnote 46

Footnote 47

The real and substantial connection analysis, in essence, considers whether the offshore actor has a sufficient connection to Canada such that its actions and their effects bring it under the scope of the law. See, for example: A.T. v. Globe24h.com, 2017 FC 114; Lawson v. Accusearch, Inc., 2007 FC 125.

Return to footnote 47

Footnote 48

The GDPR requires an “adequate” level of protection, which is measured against the protection offered by the GDPR. Quebec’s Bill 64 refers to “equivalent” protection. Australia’s legislation uses “substantially similar,” while New Zealand’s new Privacy Act 2020 refers to “comparable safeguards.”

Return to footnote 48

Footnote 49

GDPR, supra note 2, s. 46(2).

Return to footnote 49

Footnote 50

Bill 64, supra note 7, s. 17.

Return to footnote 50

Footnote 51

Note that under s. 109(b) of Bill C-11, supra note 8, the Commissioner will be authorized to develop guidance materials on his own initiative or at the request of the Minister, through a process of stakeholder consultation.

Return to footnote 51

Footnote 52

Bill C-11, supra note 8, s. 76(2).

Return to footnote 52

Footnote 53

Ibid., s. 77.

Return to footnote 53

Footnote 54

Ibid., s. 122.

Return to footnote 54

Footnote 55

GDPR, supra note 2, art. 46(2)(c) and (d).

Return to footnote 55

Footnote 56

New Zealand Privacy Commissioner Blog, “Privacy 2.0: Model contract clauses,” 11 May 2020,.

Return to footnote 56

Footnote 57

Office of the Australian Information Commissioner, APP Guidelines, Chapter 8: Australian Privacy Principle 8 – Cross border disclosure of personal information. Version 1.2, July 2019, at 4., at 6-7 [APP Guidelines].

Return to footnote 57

Footnote 58

GDPR, supra note 2, art. 47.

Return to footnote 58

Footnote 59

APP Guidelines, supra note 57, at 8.

Return to footnote 59

Footnote 60

Ibid.

Return to footnote 60

Footnote 61

New Zealand Privacy Act 2020, supra note 5, Information Privacy Principle 12.

Return to footnote 61

Footnote 62

Bill 64, supra note 7, s. 17.

Return to footnote 62

Footnote 63

APP Guidelines, supra note 57, at Clause 8.2(a)(i); New Zealand Privacy Act 2020, supra note 5, Clause 12(1)(c).

Return to footnote 63

Footnote 64

Bill 64, supra note 7, s. 17.

Return to footnote 64

Footnote 65

See, e.g.: Colin Bennett, “The Council of Europe’s Modernized Convention on Personal Data Protection: Why Canada Should Consider Accession,” CIGI Papers No. 246, November 2020.

Return to footnote 65

Footnote 66

Convention 108+, supra note 10, article 14(6).

Return to footnote 66

Footnote 67

Supra note 5.

Return to footnote 67

Footnote 68

Ibid., Information Privacy Principle 12(1)(c).

Return to footnote 68

Footnote 69

Ibid., Information Privacy Principle 12.

Return to footnote 69

Footnote 70

Ibid., Information Privacy Principle 12(1)(f).

Return to footnote 70

Footnote 71

The French language version of paragraph 62(2)(d) in full is « d) le fait qu’elle effectue ou non des transferts ou des communications de renseignements personnels interprovinciaux ou internationaux pouvant avoir des répercussions raisonnablement prévisibles sur la vie privée. »

Return to footnote 71

Footnote 72

See: Guidelines, supra note 16, which provide: “Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected.”

Return to footnote 72

Date modified:: 2021-05-11

Language selection

Search and menus

Search

Bill C-11’s Treatment of Cross-Border Transfers of Personal Information

Table of Contents

Introduction

Framework

Context

Analysis

1. To whom obligations will apply and in what circumstances

2. Who is accountable?

3. What conditions must be met before the data can flow across borders?

4. Whether and how to address the adequacy of the destination state’s privacy regime

Recommendations:

Recommendation 1:

Recommendation 2:

Recommendation 3:

Recommendation 4:

Recommendation 5:

Recommendation 6:

Recommendation 7:

Recommendation 8:

Recommendation 9:

Recommendation 10:

Recommendation 11:

Recommendation 12: