Memorandum of Understanding (Germany)

BETWEEN

THE PRIVACY COMMISSIONER OF CANADA AND the Federal Commissioner for Data Protection and Freedom of Information of Germany

ON

MUTUAL ASSISTANCE IN THE ENFORCEMENT OF LAWS PROTECTING PERSONAL INFORMATION IN THE PRIVATE SECTOR

The Privacy Commissioner of Canada (“PCC”) and the Federal Commissioner for Data Protection and Freedom of Information of Germany (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – “BfDI”) (“the Participants”)

  • recognize the nature of the modern global economy, the increase in circulation and exchange of personal information across borders, the increasing complexity and pervasiveness of information technologies, and the resulting need for increased cross-border enforcement cooperation;
  • recognize that both the OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy and the APEC Privacy Framework call on member countries and economies to develop cross-border information sharing mechanisms and bilateral or multilateral enforcement cooperation arrangements;
  • recognize that s. 23.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 authorizes the PCC to share information with authorities from other countries that have responsibilities relating to the protection of personal information in the private sector;
  • recognize that Art. 4b in connection with Art. 15 of the Federal Data Protection Act (Bundesdatenschutzgesetz; BGBl I 2003, page 66ff; most recent amendment in BGBl I 2009 page 2814) authorizes the BfDI to share information with authorities from other countries that have responsibilities relating to the protection of personal information in the private sector; and
  • recognize that the Participants have similar functions and duties with respect to the protection of personal information in the private sector in their respective countries.

They therefore have come to the following understanding:

  1. Definitions

    For the purposes of this Arrangement,

    1. “Applicable Privacy Law” means the laws and regulations of the Participant’s country the enforcement of which have the effect of protecting personal information. In the case of the PCC, “Applicable Privacy Law” means Part 1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and, in the case of the BfDI, it means the Federal Data Protection Act; as well as any amendments to the Participants’ Applicable Privacy Laws, and such other laws or regulations as the Participants may from time to time jointly decide in writing to be an Applicable Privacy Law for purposes of this Arrangement.
    2. “Person” means any natural person or legal entity, including any corporation, unincorporated association, or partnership.
    3. “Request” means a request for assistance under this Arrangement.
    4. “Requested Participant” means the Participant from which assistance is sought under this Arrangement, or which has provided such assistance.
    5. “Requesting Participant” means the Participant seeking or receiving assistance under this Arrangement.
    6. “Covered Privacy Contravention” means conduct that would be in contravention of the Applicable Privacy Laws of one Participant’s country and that is the same or substantially similar to conduct that would be in contravention of the Applicable Privacy Laws of the other Participant’s country.
  2. Objectives and scope
    1. The Participants understand that it is in their common interest to:
      1. cooperate with respect to the enforcement of the Applicable Privacy Laws, including the sharing of relevant information and the handling of complaints in which the Participants are mutually interested;
      2. facilitate research and education related to the protection of personal information;
      3. promote a better understanding by each Participant of economic and legal conditions and theories relevant to the enforcement of the Applicable Privacy Laws; and
      4. keep each other informed of developments in their respective countries having a bearing on this Arrangement.
    2. In furtherance of these common interests, and subject to Section IV, the Participants will use best efforts to:
      1. share information that a Participant believes would be relevant to ongoing or potential investigations or proceedings in respect of Covered Privacy Contraventions of the Applicable Privacy Laws of the other Participant’s country;
      2. exchange and provide relevant information in relation to matters within the scope of the Arrangement, such as information relevant to consumer and business education; government and self-regulatory enforcement solutions; amendments to relevant legislation; and staffing and resource issues; and
      3. arrange for short-term and, possibly, long-term staff exchanges to facilitate and develop enforcement cooperation between the Participants.
    3. In furtherance of these common interests, and subject to Section IV, the Participants recognize potential parallel or joint investigations or enforcement actions by the Participants as priority issues for potential cooperation.
  3. Procedures Relating to Mutual Assistance
    1. Each Participant will designate a primary contact for the purposes of requests for assistance and other communications under this Arrangement.
    2. In requesting assistance in procedural, investigative and other matters involved in the enforcement of Applicable Privacy Laws across borders, Participants will ensure that:
      1. Requests for assistance include sufficient information to enable the Requested Participant to determine whether a request relates to a Covered Privacy Contravention and to take action in appropriate circumstances. Such information may include a description of the facts underlying the request and the type of assistance sought, as well as an indication of any special precautions that should be taken in the course of fulfilling the request;
      2. Requests for assistance specify the purpose for which the information requested will be used; and
      3. Prior to requesting assistance, Participants perform a preliminary inquiry to ensure that the request is consistent with the scope of this Arrangement and does not impose an excessive burden on the Requested Participant.
    3. Participants intend to communicate and cooperate with each other, as appropriate, about matters that may assist ongoing investigations.
    4. The Participants will notify each other without delay, if they become aware that information shared under this Arrangement is not accurate, complete, and up-to-date.
    5. Subject to Section IV, Participants may, as appropriate and subject to their Applicable Privacy Laws, refer complaints to each other, or provide each other notice of possible Covered Privacy Contraventions of the Applicable Privacy Laws of the other Participant’s country.
    6. Participants will use their best efforts to resolve any disagreements related to co-operation that may arise under this Arrangement through the contacts designated under Section III. A, and, failing resolution in a reasonably timely manner, by discussion between the heads of the Participants.
  4. Limitations on Assistance and Use
    1. The Requested Participant may exercise its discretion to decline the request for assistance, or limit or condition its cooperation, in particular where it is outside the scope of this Arrangement, or more generally where it would be inconsistent with domestic laws, or important interests or priorities. The Requesting Participant may request the reasons for which the Requested Participant declined or limited assistance.
    2. Participants will only share personal information pursuant to this Arrangement to the extent that it is necessary for fulfilling the purposes of this Arrangement, and will, wherever possible, use best efforts to obtain the consent of the individual(s) concerned before doing so.
    3. For greater certainty, the PCC and the BfDI will not share confidential information unless
      1. it is for the purpose set out in Section II.B.1; or
      2. it is necessary for making a request for assistance from the other Participant regarding information that may be useful to an ongoing or potential investigation or audit under Part 1 of PIPEDA in case of PCC and Art. 24 of the Federal Data Protection Act in case of the BfDI.
    4. Participants will not use any information obtained from the Requested Participant for purposes other than those for which the information was originally shared.
  5. Confidentiality
    1. Information shared under this Arrangement is to be treated as confidential and will not be further disclosed without the consent of the other Participant.
    2. Each participant will use best efforts to safeguard the security of any information received under this Arrangement and respect any safeguards approved by the Participants. In the event of any unauthorized access or disclosure of the information, the Participants will take all reasonable steps to prevent a recurrence of the event and will promptly notify the other Participant of the occurrence.
    3. The Participants will oppose, to the fullest extent possible consistent with their countries’ laws, any application by a third party for disclosure of confidential information or materials received from Requested Participants, unless the Requested Participant consents to its release. The Participant who receives such an application will notify forthwith the Participant that provided it with the confidential information.
  6. Changes in Applicable Privacy Laws

    In the event of significant modification to the Applicable Privacy Laws of a Participant’s country that are within the scope of this Arrangement, the Participants will use best efforts to consult promptly, and, if possible, prior to the entry into force of such enactments, to determine whether to amend this Arrangement.

  7. Retention of Information

    Information received under this Arrangement will not be retained for longer than is required to fulfill the purpose for which it was shared or than is required by the Requesting Participant’s country’s laws. The Participants will use best efforts to return any information that is no longer required if the Requested Participant makes a written request that such information be returned at the time it is shared. If no request for return of the information is made, the Requesting Participant will dispose of the information using methods prescribed by the Requested Participant or if no such methods have been prescribed, by other secure methods, as soon as practicable after the information is no longer required.

  8. Costs

    Unless otherwise decided by the Participants, the Requested Participant will pay all costs of executing the Request. When the cost of providing or obtaining information under this Arrangement is substantial, the Requested Participant may ask the Requesting Participant to pay those costs as a condition of proceeding with the Request. In such an event, the Participants will consult on the issue at the request of either Participant.

  9. Duration of Cooperation
    1. This Arrangement takes effect on the date it is signed.
    2. Assistance in accordance with this Arrangement will be available concerning Covered Privacy Contraventions occurring before as well as after this Arrangement is signed.
    3. This Arrangement may be terminated on 30 days written notice by either Participant. However, prior to providing such notice, each Participant will use best efforts to consult with the other Participant.
    4. On termination of this Arrangement, the Participants will, in accordance with Section V, maintain the confidentiality of any information communicated to them by the other Participant in accordance with this Arrangement, and return or destroy, in accordance with the provisions of Section VII, information obtained from the other Participant in accordance with this Arrangement.
  10. Legal Effect

    Nothing in this Arrangement is intended to:

    1. Create binding obligations, or affect existing obligations under international law, or create obligations under the laws of the Participants’ countries.
    2. Prevent a Participant from seeking assistance from or providing assistance to the other Participant pursuant to other agreements, treaties, arrangements, or practices.
    3. Affect any right of a Participant to seek information on a lawful basis from a Person located in the territory of the other Participant’s country, nor is it intended to preclude any such Person from voluntarily providing legally obtained information to a Participant.
    4. Create obligations or expectations of cooperation that would exceed a Participant’s jurisdiction.

Signed in triplicate in the English, French and German languages, each version being equally valid.

(Original signed by)

Peter Schaar
Federal Commissioner for Data Protection
and Freedom of Information of Germany

Date: 2012-10-15
At: Berlin, Germany

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada


Date: 2012-10-15
At: Berlin, Germany

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: