Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2008-394

Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers

[Principles 4.1.3, 4.3, 4.3.2]

Lessons Learned

The Office of the Privacy Commissioner of Canada recognizes and shares the continued interest that Canadians and Canadian businesses have in the flow of their personal information beyond our borders. The Office has previously considered issues surrounding foreign outsourcing in Case Summaries #2005-313 and #2007-365.

The present Case Summary addresses several of the same issues and summarizes the Office’s position:

  • The Personal Information Protection and Electronic Documents Act (the Act) does not prohibit organizations from outsourcing their operations across international borders.
  • It is important for organizations to assess the risks that could jeopardize the security and confidentiality of customer personal information when it is transferred to foreign-based third-party service providers. The measures by which personal information is protected by a foreign-based firm must be formalized with the organization by using contractual or other means.
  • No contract or contractual provision can override the laws of a country to which the information could be subject once the information has been transferred.
  • Organizations must be transparent about their personal information handling practices. A company in Canada that outsources personal information processing to a company that operates in another country should notify its customers that the information may be available to the government of that country or its agencies under a lawful order made in that country.
  • With regard to the issue of customer consent, the Office has taken the position that the sharing of information with a third-party service provider constitutes a “use” for the purposes of the Act. Organizations obtain customer consent for the use of personal information for the provision of services or products when individuals first apply for the service or product. Although service providers may change over time, if the purpose of the current provider’s use of the personal information has remained the same, organizations are not required to obtain renewed customer consent for the information use.

Two complainants expressed doubt that subscribers’ personal information was adequately protected after canada.com e-mail operations were outsourced to a U.S.-based firm. Moreover, the complainants did not believe that existing subscribers had had an opportunity to consent to the transfer of their information to the U.S. or that new subscribers were properly informed that their information would be used and stored in the U.S.

The Office’s investigation established that existing subscribers were informed in advance that their new log-in to their account would be an opportunity for them to accept or reject the terms of the services. New e-mail subscribers were also informed, both of information transfers to the U.S.-based provider and of potential privacy implications.

The Assistant Privacy Commissioner was satisfied that canada.com had fulfilled its obligations to provide comparable protection under the Act by putting in place adequate contractual provisions. She noted that since the third party in this case is a U.S. company operating in that country, it is subject to U.S. laws, some of which could compel that company to disclose to U.S. authorities information in its possession.

The following is a detailed account of the Assistant Commissioner’s investigation and findings:

Summary of Investigation

Complainants’ position

According to the complainants, on February 20, 2007, canada.com sent an e-mail to its subscribers stating that e-mail services would henceforth be operated by a company based in the U.S.  The complainants contended that, with no mention of obtaining the prior consent of subscribers, the e-mail also advised that all previously saved messages, folders and settings would automatically be transferred to the new account.

The Office examined a copy of that e-mail. The e-mail stated that upon logging in to their new account, subscribers would be asked to accept or decline the new services. If subscribers declined, their e-mail account and all its contents would be permanently deleted.

The complainants asserted that new subscribers to canada.com’s e-mail services must provide their agreement with the company’s terms and conditions, as well as with its privacy statement. The complainants noted that the terms and conditions point out that e-mail services are provided by a third party located in the U.S. and that, as such, the disclosure of subscriber personal information stored in that location is subject to foreign laws.

According to the complainants, the Frequently Asked Questions (FAQs) document produced by the respondent states the following:

… information processed or stored outside of Canada … no longer falls under the jurisdiction of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) nor be subject to canada.com’s Privacy Statement ....

The complainants included in their representations copies of canada.com’s website home page, the FAQs page, registration page, privacy statement and the terms and conditions document.

The complainants also cited an e-mail dated March 29, 2007, from the legal representative of the respondent to a canada.com subscriber in which the subscriber was advised that under the contractual agreement between the respondent and the U.S.-based e-mail provider, the provider was obligated to comply with privacy laws “… to the extent that they do not conflict with American Laws.”

Respondent’s position

In its representations, the respondent, CanWest Publishing Inc. (CanWest), explained that canada.com is an interactive Web portal owned and operated by CanWest, and that the e-mail services have always been provided by various third parties since 1998. (Since 2006, its e-mail service providers have operated from the U.S.) Moreover, from the respondent’s point of view, the movement of client information to the third party does not constitute a disclosure, but rather an information transfer.

With regard to CanWest obtaining the consent of existing subscribers in early February 2007 for the purpose of transferring their personal information for e-mail services, the company contended that the necessary consent had previously been obtained when these subscribers originally signed up for canada.com e-mail. Although the third-party service provider may have changed in February 2007, the purpose of the third-party information transfer has remained constant and, thus, subscriber consent did not require renewal. CanWest noted that this position is in keeping with the findings of the Office’s Case Summary #2005-313.

Moreover, CanWest contends that, because the data was fragmented and some of it was still stored in Canada, no personally identifiable information of existing subscribers was ever transferred to the new, U.S.-based provider until subscribers had clearly consented to it.

CanWest provided a description of what would happen during the first login for existing e-mail subscribers on and after February 28, 2007 (i.e. the “go live” date for the new service): first, a subscriber login would be re-directed from Canada to the third-party’s servers in the U.S., where partial data (i.e. subscriber e-mail message content, passwords and usernames) awaited activation, having previously been transferred and stored there. The usernames were stored on separate servers from the message content. Meanwhile, the full name and address of subscribers (“account information”) remained on the canada.com servers in Canada, where the respondent claims that it has always been stored.

Since the subscriber data was still in raw format, CanWest did not consider it to be personally identifiable information at this point.

Upon receipt of the login, the third-party servers would then send an electronic message to the canada.com servers in Canada, asking for authentication of the user. Subscribers were then informed by way of a pop-up window of the new service provider in the U.S. (identified by name) and that, until they logged in and accepted the terms and conditions and the CanWest privacy statement, any of their e-mail content and username information would not be activated and could not be accessed by any third party.

If subscribers indicated their agreement, the server in Canada sent an “authentication ticket” to the U.S.-based server, which synchronized subscriber e-mail content information with the username. According to the respondent, in the event that a subscriber declined the new service, the account would be immediately and permanently deleted from the U.S.-based servers. Ninety days after the “go live” date, inactive accounts were also permanently deleted from these servers.

Concerning new subscribers’ consent, they must also accept the company’s privacy statement. CanWest also currently informs them in its terms and conditions (updated on February 28, 2007) of the following:

You acknowledge that in the event that a third party service provider is located in the United States or another foreign country, your personal information may be processed and stored in the United States or such other foreign country, and the governments, courts or law enforcement or regulatory agencies of that country may be able to obtain disclosure of your personal information through the laws of the foreign country.

This information is also available in its FAQs document, available on the canada.com website, which clearly states that canada.com e-mail is provided by “…a company located in and conducting its business from the United States.”

CanWest conceded to this Office that its FAQs document originally misrepresented the jurisdictional powers of the Act for personal information collected in Canada and transferred to another country. This erroneous information was also communicated to subscribers in the pop-up window that appeared (as a reminder) simultaneously with each e-mail login/sign up for approximately one week after subscriber agreement was obtained. It read as follows:

… information processed or stored outside of Canada may … no longer fall under the jurisdiction of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) nor be subject to canada.com’s Privacy Statement ....

On March 14, 2007, the FAQs document was revised as follows:

… the information processed or stored outside of Canada may be available to the foreign government of the country in which the information or the entity controlling it is situated under a lawful order made in that jurisdiction.

The respondent also concedes that it erroneously advised subscribers in an e-mail dated March 29, 2007, that under the contractual agreement between the two parties, the third-party provider was obligated to comply with privacy laws “… to the extent that they do not conflict with American Laws.” CanWest has reviewed its message and now claims that the signed agreement does not, in fact, contain any statement worded in such a manner. Rather, the intended message to subscribers was to convey the following:

… while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws. (Case summary #2005-313)

With regard to the level of personal information safeguarding required of the U.S.-based third party by CanWest, the latter provided our investigation with a copy of the signed agreement between the two parties, as well as four particular confidentiality items with which the third party must comply.

In addition, CanWest responded that the third party has in place strict technical requirements for the storage and processing of subscriber data (including separate storage of the e-mail content and user information) and for hosting the directory on a Uniform Naming Convention file share so as to disable text-based file queries. The U.S.-based servers are located in a 24-hour-secure data center, accessible only by authorized personnel.

Lastly, the respondent addressed the issue of the disclosure of personal information without consent in the context of the USA PATRIOT Act and privacy laws. CanWest contends that, notwithstanding the storage location of personal information data—for example, in Canada or the U.S.—the Personal Information Protection and Electronic Documents Act (PIPEDA) does not preclude disclosures to government institutions without an individual’s consent. By way of example, CanWest cited paragraphs 7(3)c, 7(3)c.1, 7(3)c.2 and 7(3)i of PIPEDA, which describe particular circumstances involving governmental or legal authorities under which disclosure of personal information may occur without the knowledge and consent of the individual. In light of these provisions, CanWest states that “… government access without consent will always remain a possibility, both in Canada and in the United States.”

Responding to the notion that the USA PATRIOT Act more readily allows access by U.S. authorities to Canadians’ personal information—when compared to other statutes and information-sharing agreements—CanWest states the following:

While it is within the power of an organization to set forth contractual and operational controls on the treatment of personal information by its service providers, it is unreasonable to expect organizations to conduct exhaustive surveys of data access statutes in every jurisdiction in which they process or store data and make a determination whether or not those statutes put the data at greater risk than they would if situate in Canada. We submit that such a standard goes beyond the spirit and intent of PIPEDA, particularly the reasonableness standard set forth in Section 3.

Findings

Issued August 7, 2008

Application: Principle 4.1.3 of the Act states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.3 provides that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 clarifies that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information shall be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

In making her determinations, the Assistant Commissioner deliberated as follows:

Consent:

  • With regard to the issue of customer consent, the Office has taken the position in previous findings that the sharing of information with a third-party service provider constitutes a “use” for the purposes of the Act . In the Assistant Commissioner’s view, CanWest obtains customer consent for the use of personal information for the provision of e-mail when subscribers first sign up for canada.com e-mail services. Although the service provider has changed over time, the purpose of the current provider’s use of the personal information has remained the same. Thus, the respondent was not required to obtain customer consent for the information use when the new provider took over the service in February 2007. 
  • Nonetheless, at the time of the transfer of information to the new service provider, both new and existing customers were informed directly of the new arrangement (by e-mail) and were provided with a clear opportunity to consent to it by means of a pop-up box at time of login. Available supporting documents conveying the same information included the company’s terms and conditions, privacy policy and the frequently asked questions (FAQs). Both the terms and conditions and the FAQs clearly advised subscribers that some information was stored in the U.S. and could potentially be accessed by a foreign government.
  • Moreover, the Assistant Commissioner noted that any data which was transferred to the new service provider prior to notification of the subscribers in February 2007 was, in fact, not accessible to any third party and could not be personally identifiable until consent was given by e-mail account holders. Consequently, the Assistant Commissioner believed that Principles 4.3 and 4.3.2 were upheld.

Accountability and protection:

  • The Assistant Commissioner was satisfied that CanWest maintains custody and control of the information that is processed by its third-party service provider in the U.S. The service agreement between the two parties relies on unambiguous language that provides guarantees of the confidentiality and security of personal information, and it allows for oversight, monitoring and audit of the services being provided. The contractual provisions with regard to information protection are no less stringent than they would be if the service provider were located within Canadian borders.   
  • Concerning U.S. authorities’ access to subscriber personal information by virtue of a Section 215 Order under the USA PATRIOT Act, CanWest cannot rely on the exceptions set out in paragraphs 7(3)c, 7(3)c.1, 7(3)c.2 and 7(3)i of the Act. This position is consistent with our Office’s findings in Case Summary #2005-313. For that matter, it is also not possible for CanWest to use contractual or other provisions to override the provisions of the U.S. statute.
  • The Assistant Commissioner noted that organizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such a service provider to the country’s government or agencies. In this respect, she found that CanWest respected its obligation by reliably informing its subscribers, new and existing, of its arrangement with a new U.S.-based e-mail provider and of the potential impact on confidentiality of subscriber information. Consequently, Principle 4.1.3 was not contravened.
  • The risk of a U.S.-based service provider being ordered to disclose personal information to U.S. authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to (and may be just as likely to receive) similar types of orders to disclose personal information of Canadians to Canadian authorities. There are also several formal bilateral agreements in place between analogous Canadian and U.S. organizations that provide for the cooperation and exchange of relevant information. In light of such arrangements, there are many alternatives to a Section 215 Order to obtain information about Canadians.

Conclusion

Satisfied that the respondent had met its obligations under the Act, the Assistant Commissioner concluded that the complaints were not well-founded.

Post-Script

After the Assistant Commissioner issued her findings, she was requested to clarify her comments from the following paragraph:

Concerning U.S. authorities’ access to subscriber personal information by virtue of a Section 215 Order under the USA PATRIOT Act, CanWest cannot rely on the exceptions set out in paragraphs 7(3)c, 7(3)c.1, 7(3)c.2 and 7(3)i of the Act. This position is consistent with our Office’s findings in Case Summary #2005-313. For that matter, it is also not possible for CanWest to use contractual or other provisions to override the provisions of the U.S. statute. 

The Assistant Commissioner explained that her remarks were provided in the context of analyzing the issue of whether CanWest was ensuring a comparable level of protection with respect to the personal information being processed by its third-party, foreign-based service provider.

Her comments were intended to echo earlier findings made by the Office, as outlined in Case Summary #2005-313, the fact situation of which is analogous to the present case. In Case Summary #2005-313, this Office noted that while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country―no contract or contractual provision can override those laws.

Similarly, in the present case, CanWest cannot prevent its customers’ personal information from being lawfully accessed by U.S. authorities. Should a Section 215 Order be issued against CanWest’s third-party service provider, the service provider would be obliged to respond as it is a U.S. company subject to U.S. laws. CanWest could do nothing to prevent its third-party service provider from responding to an order issued under the laws of the country in which the provider operates. The exceptions to consent would not be relevant in this scenario since CanWest would not be the party responding to the Order―the service provider would be.

The Assistant Commissioner further noted that her position in the present case is consistent with that contained in Case Summary #2007-365, where it was found that the Act could not prevent foreign authorities from lawfully accessing the personal information of Canadians held by organizations within their jurisdiction. Moreover, we noted that the respondents themselves in Case Summary #2007-365 did not disclose the information―their common service provider did. In the present case, CanWest also notified customers of its arrangement with a U.S.-based e-mail provider.

See also

#2005-313 Bank's notification to customers triggers PATRIOT Act concerns

#2007-365 Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered

Final Comment

The Assistant Commissioner emphasizes the importance of organizations assessing the risks that could jeopardize the security and confidentiality of customer personal information when it is transferred to foreign-based third-party service providers. It is essential that organizations using third-party service providers outside Canada use contractual or other means to provide a comparable level of protection while the information is being processed by the third party.