Appendix 1: Provisions of Bill C-11 Relevant to Cross-Border Transfers of Data

2. […]

service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes. (fournisseur de services)

5. The purpose of this Act is to establish — in an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information (emphasis added) — rules to govern the protection of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

6(2) For greater certainty, this Act applies in respect of personal information

(a) that is collected, used or disclosed interprovincially or internationally by an organization;

7 (1) An organization is accountable for personal information that is under its control.

(2) Personal information is under the control of the organization that decides to collect it and that determines the purposes for its collection, use or disclosure, regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.

11 (1) If an organization transfers personal information to a service provider, the organization must ensure, by contract or otherwise, that the service provider provides substantially the same protection of the personal information as that which the organization is required to provide under this Act.

(2) The obligations under this Part, other than those set out in sections 57 and 61, do not apply to a service provider in respect of personal information that is transferred to it. However, the service provider is subject to all of the obligations under this Part if it collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred.

18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for a business activity described in subsection (2) and

(a) a reasonable person would expect such a collection or use for that activity; and

(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

(2) Subject to the regulations, the following activities are business activities for the purpose of subsection (1):

[… ]

(e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual;

19 An organization may transfer an individual’s personal information to a service provider without their knowledge or consent.

55 (1) If an organization receives a written request from an individual to dispose of personal information that it has collected from the individual, the organization must, as soon as feasible, dispose of the information, unless

(a) disposing of the information would result in the disposal of personal information about another individual and the information is not severable; or

(b) there are other requirements of this Act, of federal or provincial law or of the reasonable terms of a contract that prevent it from doing so.

[… ]

(3) If an organization disposes of personal information, it must, as soon as feasible, inform any service provider to which it has transferred the information of the individual’s request and obtain a confirmation from the service provider that the information has been disposed of.

61 If a service provider determines that any breach of security safeguards has occurred that involves personal information, it must as soon as feasible notify the organization that controls the personal information.

62 (1) An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.

(2) In fulfilling its obligation under subsection (1), an organization must make the following information available:

[… ]

(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;

76 (1) For the purpose of this section and sections 77 to 81, entity includes any organization, regardless of whether it is an organization to which this Act applies, or a government institution.

(2) An entity may, in the manner provided by the regulations, apply to the Commissioner for approval of a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act.

(3) The Commissioner may approve the code of practice if the Commissioner determines that the code meets the criteria set out in the regulations.

77 (1) An entity may, in the manner provided by the regulations, apply to the Commissioner for approval of a certification program that includes

(a) a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act;

(b) guidelines for interpreting and implementing the code of practice;

(c) a mechanism by which an entity that operates the program may certify that an organization is in compliance with the code of practice;

(d) a mechanism for the independent verification of an organization’s compliance with the code of practice;

(e) disciplinary measures for non-compliance with the code of practice by an organization, including the revocation of an organization’s certification; and

(f) anything else that is provided in the regulations.

(2) The Commissioner may approve the certification program if the Commissioner determines that the program meets the criteria set out in the regulations.

78 The Commissioner must respond in writing to an application under subsection 76(2) or 77(1) in the time specified in the regulations.

79 The Commissioner must make public a decision to approve a code of practice or certification program.

80 For greater certainty, compliance with the requirements of a code of practice or a certification program does not relieve an organization of its obligations under this Act.

81 The Commissioner may

(a) request that an entity that operates an approved certification program provide the Commissioner with information that relates to the program;

(b) cooperate with an entity that operates an approved certification program for the purpose of the exercise of the Commissioner’s powers and the performance of the Commissioner’s duties and functions under this Act;

(c) in accordance with the regulations, recommend to an entity that operates an approved certification program that an organization’s certification be withdrawn, in the circumstances and according to the criteria set out in the regulations, if the Commissioner is of the opinion that the organization is not in compliance with the requirements of the program;

(d) disclose information to the Commissioner of Competition, under an agreement or arrangement entered into under section 115, that relates to an entity that operates an approved certification program or an organization that is certified under an approved certification program;

(e) in accordance with the regulations, revoke an approval of a certification program in the circumstances and according to the criteria set out in the regulations; or

(f) consult with federal government institutions respecting codes of practice or certification programs.

109 The Commissioner must

[… ]

(b) develop guidance materials for organizations in relation to their compliance with this Act — including any guidance materials that are requested by the Minister — in consultation with affected stakeholders, including any relevant federal government institutions;