This interesting thread [webmasterworld.com...] raised the interesting question of trying to comply with requirements created when the privacy folks get way involved in legislative processes. My understanding is that Europe passed laws prohibiting data transfers of personal information to non-European countries unless those countries had legislation substantially similar to the European legislation, and that that caused Canada to pass similar legislation. My understanding is the US declined to follow suit and, rather than follow the Canadian approach, arranged the Safe Harbour procedure [export.gov...]
My reading suggests that due to the Canadian approach there may be legal impediments for Canadians wishing to use foreign service providers. Seems to me this would include non-Canadian hosting services and other service providers such as online payment processors, discussion boards, conferencing, data storage systems and many other services.
I am not a privacy lawyer, but it looks to me like Canada’s federal Privacy Commissioner’s office believes Canadian law requires Canadians allowing personal information to be handled by foreign services to:
a. inform their customers that their customers’ personal information will be sent outside the country and become subject to foreign laws.
b. enter written contracts with the foreign service providers requiring the foreign service providers to provide comparable protections to what the Canadian law requires of the Canadians (the legislation permits the use of “other means” to achieve the same result.)
In their most recent publication at [privcom.gc.ca...] , the office has written on this point:
“Principle 4.1.3 of PIPEDA imposes the following obligation on organizations that outsource business functions that involve the transfer of personal information to a third party service provider:
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Under a separate provision, Principle 4.8, PIPEDA requires organizations to be open about their policies and practices relating to the management of personal information.”
Regarding the second, one wonders what those “other means” could be. Perhaps due diligence inspections, but what are the chances many non-Canadian service providers would allow inspections or audits for a potential Canadian customer to perform the required due diligence. The vast majority of Canadian businesses are comprised of a handful of people. So I doubt whether they would even know how to perform the due diligence or have the resources to do it and I doubt whether many would have sufficient business value to cause the non-Canadian to consider submitting to such a review. Even if they did, inspection now, does not bind the other folks to compliance next week.
Also regarding the second, what are the chances of many non-Canadian service providers signing contracts with the, usually small, Canadian businesses that would oblige the non-Canadian service providers to provide protections comparable to those required by Canadian law of the Canadians?
Regarding the obligations to which the non-Canadians would have to agree:
Here are a couple of lists from the Canadian federal privacy commissioner’s office in At Guide for Businesses at [privcom.gc.ca...] :
“Third party transfers
* Do you use contracts to ensure the protection of personal information transferred to a third party for processing?
* Does the contract limit the third party's use of information to purposes necessary to fulfil the contract?
* Does the contract require the third party to refer any requests for access or complaints about the information transferred to you?
* Does the contract specify how and when a third party is to dispose of or return any personal information it receives?”
“When transferring personal information to third parties, ensure that they:
* Name a person to handle all privacy aspects of the contract.
* Limit use of the personal information to the purposes specified to fulfil the contract.
* Limit disclosure of the information to what is authorized by your organization or required by law.
* Refer any people looking for access to their personal information to your organization.
* Return or dispose of the transferred information upon completion of the contract.
* Use appropriate security measures to protect the personal information.
* Allow your organization to audit the third party's compliance with the contract as necessary.”
Regarding the obligations on Canadians to provide transparency and to enter contracts, the office has written at [privcom.gc.ca...] the following:
“The Assistant Commissioner concluded by stating that the Act cannot prevent a Canadian company from sharing customer personal information with a foreign-based parent. What the Act does is require organizations to be transparent about their personal information handling practices and to protect customer personal information in the hands of foreign-based service providers to the extent possible by contractual means. This Office’s role is to ensure that organizations meet these requirements….”
It seems to be a welcome retreat from their original position (after the US Patriot Act) where they were even trying to ask, whether Canadians “should” outsource outside of Canada when in 2004 at [privcom.gc.ca...] the Canadian federal privacy commissioner, concerned with the American Patriot Act and wrote:
“This has important implications for the “outsourcing” by a company in Canada subject to PIPEDA of data processing to organizations based abroad. For example, if a Canadian company outsources the processing of personal information to the United States, that personal information may be accessible under US law. The broader policy question is whether the Canadian company should outsource personal information when that information will become subject to such laws. At the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the US government or its agencies under a lawful order made in that country.”
Regarding what the Canadians must get the non-Canadians to sign:
It does appear to require the contracts to require the non-Canadian service providers to provide protections comparable to those required by Canadian laws. In the Tickemaster investigation at [privcom.gc.ca...] , reiterated at [privcom.gc.ca...] is”
“The Assistant Commissioner stated that online companies operating in Canada must implement measures to ensure compliance with PIPEDA. In particular, they must observe the following:
Businesses are responsible for protecting their customers’ personal information, by contractual or other means, which has been transferred to a third party for processing. The level of protection must be comparable with that provided by the business that collected the information.”
The Privacy Commissioner released a book on the subject last week. The provisions dealing specifically with these issues are at [privcom.gc.ca...] (linked to earlier above)
When requested to accept a contractual duty to provide comparable protections to those required by the Canadian law, my guess is most non-Canadian service providers would be disinclined to acquiesce to such a request.
I guess if the Canadian is a large enough company, they would have sufficient market value to the non-Canadians to cause the non-Canadians to consider cooperating with a due diligence audit or entering such a contract, but there is no way the vast majority of Canadian commercial operators, who are usually small operations, would have the resources to comply or the clout to cause the non-Canadians to comply.
So, does this mean that, in practice, to comply with Canadian laws, most Canadians will have to use only Canadian service providers who do not transfer personal information data to hardware outside of Canada nor to non-Canadian entities within Canada (whom may be subject to foreign laws)?
Not a good situation as some of the larger apparently “Canadian” hosts store their data outside Canada.
Further, the requirement of providing a comparable level of protection applies to all transfers, not only to ones outside of Canada. The Canadian hosts I have spoken with don't seem inclined to sign contracts undertaking to provide the same protections as their customers. Maybe "or other means" may, and I have no idea whether this would be correct, it is merely a guess, allow a Canadian using a Canadian host, all of whose hardware is in Canada, to rely on the fact that that host would also be subject to the PIPEDA law and consequently, would not violate PIPEDA with the personal information. I don't know. The legislation uses the verb "use" which may require some action rather than merely reliance. Perhaps if they have the host confirm in writing that they are Canadian owned and operated and all of their hardware is within Canada?
Frankly, having read the Privacy Commissioner’s Guide for Businesses, I am pretty sure most Canadians are both ignorant of, and non-compliant with, even the within Canada duties (the ones the Canadians are supposed to get the non-Canadians to sign a contractual duty to accept), let alone the requirements relating to cross-border or to other organization data transfers.
How, if at all, are you folks addressing these questions?
[edited by: 4thePegeh at 5:41 pm (utc) on June 2, 2008]