Bill C-11’s Treatment of Cross-Border Transfers of Personal Information
By Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa
In our digital and data economy, personal data increasingly flows across national borders. The free flow of data has become an important international trade objective;Footnote 1 at the same time, the protection of personal data as it flows into other jurisdictions is a growing concern of domestic data protection laws. This is certainly the case in the European Union, where the General Data Protection RegulationFootnote 2 has put in place a series of strong measures to protect the personal data of EU residents, whether it is located in an EU country or sent abroad. According to the GDPR, the personal data of EU residents cannot flow across borders unless measures are in place to ensure that it will receive an “adequate level of protection” to that available in the EU.Footnote 3 This includes an adequate level of protection when it comes to access to personal data by law enforcement and national security authorities. This past summer, the European Court of Justice ruled that the level of access of US national security officials to the data of EU residents that flowed into the United States, combined with a lack of effective recourse for EU residents, meant that data transfers could no longer be supported under the EU-US Privacy Shield measures implemented to facilitate the free flow of data.Footnote 4
The EU is not the only jurisdiction to address transborder data flows, although it has perhaps been the most assertive in doing so. Countries such as Australia and New Zealand, for example, specifically provide for the protection of the personal data of their residents when it flows outside the country.Footnote 5 New Zealand has in fact just carefully reworked its scheme as part of a new law that took effect in December 2020.Footnote 6 The Quebec government, in its recent Bill to amend its public and private sector data protection laws also imposes specific obligations on organizations to protect the personal data of Quebec residents when it flows outside that province.Footnote 7 While each of these jurisdictions adopts its own approach, what is shared by all is the explicit acknowledgement of the importance of the issue, and the articulation of rules specific to the transborder context.
On November 17, 2020, Bill C-11, titled the Digital Charter Implementation ActFootnote 8 was tabled in Parliament. This Bill represents a major revision to the Personal Information Protection and Electronic Documents Act (PIPEDA).Footnote 9 It provides for two new laws: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act. This paper will focus on the way in which Bill C-11 addresses, in the CPPA portion of the bill, the protection of the personal data of Canadians when it flows across international borders in the private sector context. This paper will identify key provisions of the CPPA that relate to cross-border data transfers.Footnote 10 It will offer a critical analysis of the extent to which these provisions protect privacy in the context of international flows of personal information. It will identify potential gaps in the proposed framework and will indicate areas where the privacy of individuals may be placed at risk. Where relevant, the analysis takes into account comparable measures in jurisdictions such as Europe, Australia, New Zealand and Quebec, as well in the Modernised Convention for the Protection of Individuals with Regard to the Processing Personal Data (Convention 108+).Footnote 11 Drawing upon this comparative analysis, the paper presents recommendations for how Bill C-11 could be enhanced to better protect privacy in the context of international transfers.
This paper adopts a framework based upon four key elements that must be addressed by any scheme for the protection of personal data in transborder data flows.
In the first place, it is necessary to define to whom the obligations will apply and in what circumstances. Not all flows of data across borders will necessarily be captured. Some schemes might address only transfers of data for specific purposes. PIPEDA, for example, refers only to transfers for processing. This reflects the more conventional model of transborder data flows – the outsourcing of data for processing. However, in the contemporary data environment, personal data may flow across borders for a broad range of purposes and in very different ways. For example, an organization may store its data in the cloud. It may make use of offshore customer service centres. It may use cloud-based software services in its operations with the result that some personal data is processed in the cloud. Organizations may rely upon offshore service providers for the collection of personal information. Canadian-based organizations and their offshore affiliates may also have a variety of relationships that impact how services are delivered to customers. A data protection law must therefore clearly identify those activities and actors to which it will apply.
A second consideration is that the law must identify who is accountable for the personal data that flows across borders and in what circumstances. Accountability can lie with the primary organization, or it may lie with the service provider. In some cases, it might be appropriate to situate accountability with one rather than the other. Accountability – and clarity about where it will lie – is important since individuals must be able to determine who they can hold to account – and under what legislative regime – if there are data protection issues.
A third consideration is the identification of the conditions that must be met before personal data can flow across borders. These may include the notice to be provided to data subjects, the level of protection required, as well as the safeguards and measures that must be in place before data can flow. Some jurisdictions, such as the EU provide a broad range of options to enable organizations to meet these obligations. For example, these can include standard contractual clauses, model contractual clauses, or binding corporate rules.Footnote 12
A fourth consideration is how to address the adequacy of the destination state’s privacy regime. Adequacy is essentially a determination that the destination country has a data protection regime in place that offers a level of protection to personal data that meets the standard set by the law in the country from which data is transferred. Adequacy can be assessed according to different standards (e.g., “substantially similar”, or “equivalent”). Adequacy can be important even if there is a contractual agreement in place, and even if the domestic organization remains accountable for the data. Adequacy is significant for two reasons. One is that there may be circumstances in which the offshore service provider is considered accountable.Footnote 13 In such cases, their accountability may be under their domestic laws. A second reason is that many states allow access to the personal data of non-residents by law enforcement or national security authorities. Adequacy does not necessarily require that such access be prohibited; but it may well require that there be some recourse for Canadian residents should they choose to exercise it. This is something that not even the best drafted contract can address. Legislation can provide that an assessment of the adequacy of the legal system in place in the country to which data flows must be carried out by the accountable organization,Footnote 14 or at a state-to-state level.Footnote 15
These four considerations provide the framework for the analysis that follows of the provisions of Bill C-11 that address cross-border flows of personal data.
Before beginning the analysis of Bill C-11’s provisions, it is important to provide a brief summary of how PIPEDA currently addresses cross-border data flows.
PIPEDA contains no specific provisions with respect to cross-border data flows, notwithstanding the fact that the outsourcing of data for processing was a known practice at the time.
Although PIPEDA says nothing explicitly about cross-border data flows, it does contain a clause in Schedule 1 that deals in general terms with transfers of data “to a third party for processing.” Clause 4.1.3, under the heading of “Accountability,” reads:
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The clause makes it clear that transfers are permissible, and that the transferring organization is accountable for the personal data when it is in the hands of the entity to which it is transferred. It also places an onus on the transferor to ensure that the information receives a comparable level of protection in the hands of the transferee – by using contracts, for example. But this clause addresses only transfers for processing and not the myriad other types of data flows. Further, nothing in the law specifically addresses cross-border contexts; nothing addresses the vulnerability of data to access by the law enforcement or national security officials of overseas governments; and nothing provides an opportunity to assess and evaluate the adequacy of the data protection regimes in countries to which data is transferred.
The bare-bones nature of Clause 4.1.3 combined with the growing frequency and importance of cross-border data flows led the Office of the Privacy Commissioner of Canada (OPC) to issue Guidelines for processing personal data across borders in 2009Footnote 16 that explained how the OPC would interpret and apply this clause. It is, for example, these Guidelines (and not Clause 4.1.3) that clarify that the clause is interpreted to apply to domestic as well as cross-border data transfers.Footnote 17 The Guidelines also clarify that Canada had adopted an “organization to organization” approach rather than one that focused on the adequacy of the legal regime in the country of transfer.Footnote 18 Under the organizational approach, the company transferring the data remains accountable for it, should it be misused or mishandled by the transferee.Footnote 19 Although the Guidelines help clarify the rules in place, Clause 4.1.3 remained rooted in its moment in time. It is framed around the concept of transfers of data for processing in a way that no longer captures the full range of reasons or ways in which data now flows across borders.
The government had a number of options when it came to addressing cross-border data transfers in Bill C-11. Not only has the EU comprehensively addressed the issue in the GDPR, but comparable jurisdictions such as Australia and New Zealand have already tackled this complex issue and have developed their own schemes to protect the personal data of residents when it flows outside the country. The Government of Quebec has also introduced provisions in its Bill 64Footnote 20 – legislation to amend both public and private sector data protection laws in Quebec – that deal with cross-border data flows.
Appendix 3 to this paper provides a detailed overview of how these privacy regimes protect the personal data of individuals in the context of cross-border data flows.
The federal government is clearly aware of the significance of cross-border data flows. The revised language of section 5 of Bill C-11, which sets out the law’s purpose, reprises the purpose statement from PIPEDA, but adds language that identifies the current context as “an era in which data is constantly flowing across borders and geographical boundaries and significant economic activity relies on the analysis, circulation and exchange of personal information.” Paragraph 6(2)(a) of Bill C-11, which sets out the scope of application of the bill, also makes it clear that it will apply to personal information “that is collected, used or disclosed interprovincially or internationally by an organization.”
The discussion below examines how Bill C-11 addresses cross-border data flows, using the four questions identified above to frame the analysis.
1. To whom obligations will apply and in what circumstances
The question of to whom any obligations regarding cross-border data flows will apply – and in what circumstances they will be applicable – are truly core questions for any legislation designed to deal with this issue. As noted above, PIPEDA adopts a relatively bare-bones approach, applying only to transfers for processing, and providing for the accountability of the transferring organization. The CPPA somewhat obliquely recognizes a more complex context for cross-border transfers and goes beyond what is provided for in PIPEDA. However, it does not deal with cross-border data flows in a specific part of the legislation. Nothing distinguishes cross-border data flows from those in the domestic context. This is problematic. In the first place, the cross-border context raises distinct issues around such things as adequacy and accountability. Secondly, as the CPPA currently stands, those engaging in cross-border activities must follow a breadcrumb trail through the statute to identify the rules applicable to this context. Given the particular vulnerability of Canadians when their personal information flows across borders, this patchwork/guesswork approach is not appropriate.
As discussed earlier, personal data may now flow across borders in ways and for uses that go beyond traditional transfers for processing. Cloud-based services have, for example, changed these dynamics, and there are ways in which the provision of these services can lead to new collection and use of personal information by service providers. For example, a company providing offshore customer services may be collecting data about how those services are provided. This may include the personal data of its clients’ customers, and this data may be used by the offshore organization for its own analytics or internal purposes.
In the EU, the GDPR sets rules for the cross-border transfer of data “which are undergoing processing or are intended for processing after transfer to a third country.”Footnote 21 The cross-border data flow provisions are based upon the controller-processor relationship which is defined in the legislation. A “controller” is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data […].”Footnote 22 The equivalent concept under both PIPEDA and C-11 is an “organization,” which is defined in both laws as including “an association, a partnership, a person or a trade union.”Footnote 23 Note that the CPPA definition is general and does not specify the role of the organization with respect to data in the same way that “controller” does.Footnote 24 In a regime that places accountability primarily on the shoulders of the controlling organization and that recognizes principal and subordinate roles, it is unfortunate that the CPPA does not more clearly link organizations to their roles with respect to data.
A “processor” is defined in the GDPR as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”Footnote 25 Processing is broadly defined as:
[…] any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.Footnote 26
Under the CPPA, organizations are accountable for their relationships, not with ‘processors’, but with “service providers.” The Canadian version of the “controller-processor” relationship, is therefore the “organization-service provider” relationship.Footnote 27 Although the relationships have some rough equivalence, there are differences that may be significant.
A service provider is defined in section 2:
service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.
The definition of a service provider identifies it as an “organization”Footnote 28 which, as noted above, is separately defined in the CPPA as including “an association, a partnership, a person or a trade union.”Footnote 29 According to the definition of “service provider” an organization that is a service provider can include “a parent corporation, subsidiary, affiliate, contractor or subcontractor.”
The definition of “service provider” in Bill C-11 is notably different from the GDPR definition of a “processor” in that the GDPR definition specifically links the processor to actions “performed on personal data or on sets of personal data.” Thus, although the GDPR definition of a processor is broad and inclusive, it is expressly tied to the processor’s role in relation to personal data. The definition of “service provider” in the CPPA is not. A service provider is a body “that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.” There is no obvious reason for the definition to be this general. While the CPPA is obviously a data protection statute, the definition of ‘service provider’ should nonetheless address service providers that provide services related to personal information or data sets containing personal information. Perhaps more importantly, a clear description of the entity’s role with respect to data (as opposed to with respect to another organization) could make it clearer how a service provider (processor) can, with respect to some functions, become subject to the obligations of an organization (controller).
The law is silent as to the geographic location of service providers, so presumably they can be within Canada or in another country.Footnote 30 Therefore, any obligations or accountability in relation to service providers in the CPPA will apply to those within or outside Canada unless otherwise specified. Nevertheless, the fact that service providers may be situated within or outside Canada should be expressly stated somewhere in the legislation – and the definition would be a likely place for this.Footnote 31 The CPPA in some cases imposes direct obligations on service providers,Footnote 32 and the intent to have extraterritorial application should be manifest.
The definition of service provider is broad. A service provider “provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.” Basically, where any entity assists an organization in fulfilling its purposes, that second entity is a “service provider.” Those services could include the processing of data or its storage. One can assume, therefore, that cloud storage providers are service providers, as are providers of cloud-based business services.
“Service provider” includes entities that collect personal data on behalf of organizations.Footnote 33 This goes well beyond PIPEDA’s narrower paradigm of transfers for processing. For example, an organization in Canada might seek the services of an offshore company to collect data about Canadians from social media sites, or might use the services of offshore data brokers. It might simply use the services of an offshore company to facilitate some of its operations – such as making restaurant reservations that involve collecting personal information, for example. In those instances, the offshore companies would seem to be service providers in that they are assisting the organization in fulfilling its purposes, assuming its purposes include collecting that kind of data.
The reference in the definition of service provider to a “contractor or subcontractor” raises some questions. An organization (controller) would clearly have a contractual relationship with a contractor (service provider). However, if the service provider sub-contracts any of the data-related tasks, the relationship between the organization/controller and the sub-contractor is unclear. One approach would be to interpret the law’s inclusion of “sub-contractor” in the definition of ‘service provider’ as creating a relationship in law – in other words, it makes the organization/controller accountable for what happens to the personal data in the hands of the sub-contractor. If this is the case, then the service provider should not be able, independently, to sub-contract out processing functions without the consent of the organization/controller. For example, article 28(2) of the GDPR makes it clear that a “processor shall not engage another processor without prior specific or general written authorisation of the controller.” Article 29 makes it clear that in a sub-contracting relationship, the controller remains ultimately in control of and accountable for the data. These relationships should be clarified in the CPPA.
Overall, it would appear that the “service provider” definition in Bill C-11 is meant to have a similar breadth to the GDPR’s definition of “processing” (and hence a scope similar to that of “processor”). This is reinforced by subsection 7(2), which refers to the collection, use or disclosure of personal data by a service provider on behalf of an organization. However, it should be noted that there are subtle shifts in vocabulary in the disparate provisions that can be applied to cross border data flows that may create some level of confusion. Paragraph 62(2)(d) refers to international “transfer or disclosure” in establishing a transparency requirement but does not mention collection. Subsection 11(1) requires organizations to protect personal information by contracts with service providers when data is transferred to them, but does not mention when it is collected by service providers on their behalf. Subsection 11(2) refers to “uses or disclosures” by service providers of transferred information, but not information collected on the organization’s behalf. Each of these formulations is narrower than the collection, use or disclosure of personal data by a service provider on behalf of an organization that is described in subsection 7(2).
The CPPA’s approach to cross-border data flows – and in particular the broadening of its scope of application to include not just transfers but also other data-related services including the collection of data, situated within the contemporary data environment, mean that these provisions will have a broader impact. More specifically, while PIPEDA’s “transfer for processing” paradigm tended predominantly to affect large companies, many small and medium sized enterprises currently use offshore services to process customer data in one form or another. These cross-border flows can include the use of cloud-based software and app-based services, cloud storage of data, and the collection and processing of data for marketing or other purposes. It is therefore more important than ever that the cross-border data provisions be clear, accessible, and sufficiently detailed to protect personal data while facilitating compliance and reducing uncertainty. As a result, it is recommended that they be addressed in a specific dedicated section of the statute, and that ambiguities be clarified.
2. Who is accountable?
The issue of accountability is intimately tied to how the principal actors are defined. Under PIPEDA, organizations are accountable for data they transfer to another organization for processing. This general approach is maintained in the CPPA, although the definition of service provider extends the bill’s application beyond transfers for processing.
As a first principle, under the CPPA, an organization (controller) is accountable for the information under its control.Footnote 34 Subsection 7(2) provides that information is under the control of an organization when it “decides to collect it” and “determines the purposes for its collection, use or disclosure.” This will be the case “regardless of whether the information is collected, used or disclosed by the organization itself or by a service provider on behalf of the organization.”Footnote 35 Thus, accountability is squarely placed on the shoulders of the organization that initiates the process of collection, use or disclosure of personal data. The nature of this accountability – at least in the context of data transfersFootnote 36 – is elaborated upon in subsection 11(1) which requires the organization to ensure “by contract or otherwise” that the service provider to which data is transferred will provide “substantially the same protection of the personal information as that which the organization is required to provide under this Act.”
In this context, the service provider is exempt from direct accountability under the CPPA for the personal information that it handles on behalf of the organization. However, a service-provider will be directly accountable under subsection 11(2) if it “collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred.”Footnote 37 This presumably includes accountability for any improper activities by the service-provider with respect to the data, although there would likely be joint accountability in such circumstances. It would likely also capture circumstances where the service provider uses the data for its own purposes. For example, a service provider may offer cloud-based client services to an organization’s customers. In doing so, it may collect data about interactions with customers for its own business purposes. It would presumably be directly accountable under the CPPA for this second category of data. However, it is not clear what rules would govern its obligations to provide notice of its collection or use. A service-provider might well decide to avail itself of the exception in paragraph 18(2)(e), which allows an organization to dispense with notice and consent where there is no direct relationship with the individual. This weakens transparency in this relationship and makes it much more difficult for individuals to hold offshore service providers to account. As to the mechanics of how they might be held to account, individuals theoretically could file complaints (although their ability to do so would be hampered by the lack of a direct relationship and possible lack of notice and consent), and a real and substantial connection with Canada would presumably need to be found in the circumstances.Footnote 38
This interpretation of subsection 11(2), which would find a service provider accountable for information it directly collects, uses or discloses in the course of its relationship with the customers of the organization/controller, is, however, cast in some doubt by the way that it is worded. Subsection 11(2) provides that a service-provider will be accountable if it “collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred.”Footnote 39 The provision seems to refer to the information that was transferred to the service provider by the organization, yet subsection 7(2) indicates that information may be collected, used or disclosed by a service provider on behalf of an organization. Data collected by a service provider on behalf of an organization is not “transferred” to it in any ordinary sense of that term. Neither is data collected by the service provider for its own purposes. Thus, given both the contemporary data context and the wording of subsection 7(2), subsection 11(2) should clearly refer to personal data that a service provider collects, uses or discloses as a result of its relationship with the customers of the organization/controller. As it is currently worded, for example, subsection 11(2) might not capture the circumstances of the Equifax Canada case, where Equifax Canada directed its customers into a relationship with U.S.-based Equifax Inc. which resulted in the collection of their personal data by the U.S. company.Footnote 40
It may be that 11(2), as worded simply does not capture what it was intended to capture. For example, an offshore service provider such as a call centre may have access to the personal data held by the organization; it may also collect additional personal data for its own purposes (e.g., voice recordings for audit, review, or employee assessment purposes). This separate collection would appear not to be captured by subsection 11(2). Subsection 11(2) also does not address the case of an offshore service provider retained to collect data on behalf of an organization. The offshore provider in these circumstances seems to be treated as an ‘organization’ and not a service provider, but subsection 11(2) only explicitly makes service providers accountable in relation to transfers of data and their independent use of the transferred data. This means that service providers collecting data on their own behalf would most likely be accountable for this data on the basis of the ‘real and substantial connection’ test. The CPPA should clearly set out the accountability of service providers for the data they collect and use on their own initiative and for their own purposes to relieve affected individuals of the burden of establishing a real and substantial connection before a court will assume jurisdiction.
To the extent that subsection 11(2) makes offshore service providers directly accountable for the information they collect and use independently of their arrangement with the organization/controller, this may be less than ideal for the protection of individuals.Footnote 41 One alternative is to require that any data collection or use carried out by the service provider for its own purposes be governed by its contractual arrangements with the organization/controller – with accountability remaining with the organization/controller. Alternatively, as will be discussed below, another option is to ensure that the service provider is subject to a substantially similar data protection regime.
The accountability approach raises interesting issues when it comes to service providers who collect personal information on behalf of an organization. In such circumstances, accountability would seem to require that the organization ensure that the collection take place in a manner that is consistent with Canadian law.Footnote 42 It is unclear whether there is a distinction between a service provider who is specifically mandated to collect information on behalf of an organization, and a service provider who collects information generally and will provide it to an organization at the organization’s request (such as, for example, a data broker, or a provider of facial recognition services). In the latter case, the accountability approach seems to make the organization responsible for the manner in which the service provider collects the information – even though that information may be collected prior to the relationship between the organization and the service provider. Such collection would have to be consistent with Canadian law – even if the service provider is complying with their own domestic legal requirements. This might mean that a Canadian organization would need to consider whether an offshore service provider’s practices are consistent with Canadian law before contracting with them for the collection of personal data. This is another area where a requirement of substantial similarity of the data protection regime in the service provider’s country would provide better protection for Canadians.
An organization’s act of transferring data to a service provider is exempted from the requirements of knowledge or consent under section 19 of the CPPA. This means that an organization is not required to inform its customers that personal data are outsourced for processing, nor is consent of those customers required for such activities. The organization remains accountable for what happens to the personal data (except, presumably, where the service provider uses the information for its own purposes). It is important to note, however, that the exception to the requirement of knowledge or consent applies only to transfers of data to service providers. Presumably, an organization that hires a service provider to collect data on its behalf and to do anything with that collected data, would still be required to provide notice and obtain consent for that collection (unless it otherwise falls within one of the exceptions to knowledge and consent).Footnote 43 This should be explicit. As it currently stands, it is not clear if this distinction was intended or whether it results indirectly from the choice of vocabulary.
Where a transfer has taken place, there is also a new obligation in the CPPA that would require an organization to communicate any request by an individual for the erasure of their personal data to the service provider.Footnote 44 In such circumstances, the organization is also responsible for obtaining confirmation that the service provider has “disposed of” the data.
Although organizations remain primarily accountable for the information they collect or use via service providers, there are some obligations placed directly and explicitly on service providers under the legislation. Under section 61, service providers – whether as transferees or as more directly engaged actors – have an obligation to report any breach of security safeguards involving personal information to “the organization that controls the personal information.”Footnote 45 The obligation is to notify them “as soon as possible.”Footnote 46 This raises some interesting extraterritoriality issues in cases where the service provider is located in another jurisdiction. It is not clear that the provision of services to an organization in Canada that remains accountable for the personal data would otherwise bring a service provider under the scope of the CPPA. PIPEDA has been found to apply to offshore organizations where there is a “real and substantial connection” to Canada – generally this has been found in cases where there is some direct interaction with Canadians (collecting their data or providing services to them).Footnote 47 It has not yet been found to exist where a service provider has provided services to an organization in Canada that itself remains directly accountable under PIPEDA for the data. Specific obligations under the CPPA such as breach notification are different in that the law directly imposes reporting obligations on offshore service providers. If one assumes that service providers can be offshore entities (something that is never made explicit in the CPPA), then section 61 would seem to have explicit extraterritorial effect. Presumably the organization, in its contract with the service-provider, will include a requirement to notify them of any breach of security safeguards – especially since organizations are required to provide breach notification with respect to information under their control – and the information is considered to remain under their control in relationships with service providers. What is unclear is the extent to which an offshore service provider will be meaningfully subject to any separate accountability under the CPPA for breach of their specific obligation under section 61.
3. What conditions must be met before the data can flow across borders?
Although the scope of the legal obligations relating to cross-border data flows may have changed, as noted above, accountability remains—for the most part—with organizations. Their compliance with the obligations in the CPPA will largely depend on them having put in place contractual arrangements that ensure that service providers offer “substantially the same protection of the personal information as that which the organization is required to provide under this Act.” Under PIPEDA, clause 4.1.3 refers to a “comparable” level of protection. “Substantially the same” appears, at least on its face, to be a more stringent standard than “comparable.”Footnote 48 The more stringent standard suggests that guidance should be provided as to what elements must be addressed and how in contractual arrangements. The GDPR provides a number of options in this regard, including standard contractual clauses and binding corporate rules.Footnote 49 Quebec’s Bill 64 provides a list of factors that organizations must take into account in assessing whether an equivalent level of protection is available in the service provider’s jurisdiction.Footnote 50 In Australia, the Office of the Australian Information Commissioner provides a list of considerations for contractual arrangements, as well as a list of factors that it will take into account in assessing whether reasonable steps have been taken to ensure an appropriate level of protection for personal information in the hands of an offshore service provider.Footnote 51
Where data is transferred to a service provider, subsection 11(1) provides that the organization must ensure this required level of protection “by contract or otherwise.” Under PIPEDA, contracts were the primary means by which cross-border data transfers were governed, and it seems that the CPPA intends that they will be the principal means as well. It is not immediately clear what “or otherwise” might include.
It is possible that “or otherwise” is an oblique reference to the provisions regarding Codes of Practice and Certification Programs, which might be meant to have some application in this context. These provisions (sections 76-81 of Bill C-11) refer to an “entity,” which is defined as “any organization, regardless of whether it is an organization to which this Act applies, or a government institution.” It is not clear whether this includes entities outside of Canada (i.e., an organization to which the Act does not apply). Certainly, offshore entities are not expressly excluded by the wording of the legislation.
The CPPA allows such an entity “to apply to the Commissioner for approval of a code of practice that provides for substantially the same or greater protection of personal information as some or all of the protection provided under this Act.”Footnote 52 An entity may also apply to the Commissioner for approval of a certification program that is based upon a code of practice, and that provides for oversight and disciplinary measures.Footnote 53 Details of requirements for certification programs are to be set out in regulations.Footnote 54 These regulations should provide clear and precise guidance as to what must be included. Conceivably, therefore, a Canadian entity or an offshore entity could create a code of practice and certification program for eligible “service providers”, and the Commissioner could approve the Code and the certification program. If this happened, then an organization subject to the CPPA could presumably transfer data outside of the country to a service provider that was certified under such a scheme. By doing so, it would ensure “by contract or otherwise” substantially the same level of protection.
If, in fact, the code of practice and certification provisions can be used in this way then this creates a second option for compliance with the obligations imposed on organizations that transfer data for processing. The first option is to ensure substantial compliance by contract, the second is to use a service provider who is certified in accordance with section 77.
It should be noted that other regimes provide for a range of mechanisms to assist organizations in meeting data protection obligations when personal information flows across borders. These can include: standard contractual clauses (GDPRFootnote 55); model contractual clauses (New ZealandFootnote 56); a list of considerations for contractual clauses (AustraliaFootnote 57); binding corporate rules (GDPR,Footnote 58 AustraliaFootnote 59); prescribed binding schemes (AustraliaFootnote 60; New ZealandFootnote 61); or a list of statutory factors for assessment (QuebecFootnote 62). Other jurisdictions also require organizations to have a reasonable basis for believingFootnote 63 that the foreign regime meets the prescribed level of adequacy. Quebec’s Bill 64 requires organizations to conduct an assessment according to prescribed factors, and the assessment must establish that the information would “receive protection equivalent to that afforded under this Act.”Footnote 64
Convention 108+ is an interesting and important international data protection convention which Canada should consider joining.Footnote 65 Among other things, Convention 108+ addresses cross border data transfers. One provision of Convention 108+ on this subject is not addressed in any way in the CPPA. This relates to requirements of demonstrable accountability and specific remedies: Article 14(6) reads:
Each Party shall also provide that the supervisory authority is entitled to request that the person who transfers data demonstrates the effectiveness of the safeguards or the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to condition.Footnote 66
Given the significant vulnerabilities that may be experienced by individuals when their data flows across national borders, these additional safeguards should be added to the CPPA.
4. Whether and how to address the adequacy of the destination state’s privacy regime
When personal information is transferred to an offshore service provider, this may entail new risks. As noted earlier, the new realities of cross-border data flows also mean that service providers may well be collecting and using personal information for their own purposes. In the EU, the provisions regarding offshore processing of personal data are premised upon the data receiving an adequate level of protection. Because the CPPA acknowledges that service providers may independently collect and use personal information, and because they would seem to be directly accountable for such collection and use, the adequacy of the legal regime in the service provider’s country takes on direct importance. Under the GDPR, there are a number of ways that adequacy requirements can be met, beginning with an EU-level assessment of the adequacy of the destination country’s data protection regime. Canada has clearly opted not to go this route. Instead, the CPPA’s primary obligation on organizations is to ensure that the service provider can provide a level of protection for the personal data that is substantially the same. This will have to be done through contracts since no other mechanisms are provided for in the CPPA. However, a contract to protect transferred data is different from protection for data independently collected and used by the service provider. As noted above, Codes of Practice and Certification Programs provided for in sections 76-81 of the CPPA, may offer an option similar to the GDPR’s approved sectoral codes and certification mechanisms. However, it is not a clear requirement in the CPPA that this level of protection be present where the service provider collects and uses data for their own purposes. New Zealand’s new Privacy Act 2020Footnote 67 offers a good example of how this can be done. Where personal information is used for a service provider’s own purposes, the controller must have “reasonable grounds” to believe that the service provider is subject to privacy laws that provide “comparable safeguards” to New Zealand’s legislation.Footnote 68 Alternatively, the service provider must be part of a prescribed binding scheme, or in a country that has been found to provide comparable safeguards.Footnote 69 A further alternative is to put in place a contractual arrangement that provides comparable safeguards.Footnote 70
As noted earlier, the general rule with respect to transfers of data to service providers under the CPPA is that the organization is not required to provide either notice or consent with respect to such practices. Subsection 62(1) and paragraph 62(2)(d) suggest that the obligation is slightly different where data is transferred to a service provider outside of the province or the country. These provisions read:
62 (1) An organization must make readily available, in plain language, information that explains the organization’s policies and practices put in place to fulfil its obligations under this Act.
(2) In fulfilling its obligation under subsection (1), an organization must make the following information available:
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
The organization is obliged to provide plain language information regarding its policies and practices regarding “whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications.”Footnote 71 This could be read as a requirement to provide notice of any transfer or disclosure that has reasonably foreseeable privacy implications. However, the phrasing “whether or not” (in the French version “qu’elle effectue ou non”) suggests that the intention might be to require organizations also to make some sort of affirmative statement to the effect that they believe that their cross-border data transfers or disclosures of personal information have no reasonably foreseeable privacy implications. Nevertheless, it is unclear whether this is a use of the redundant form of ‘whether or not’, and therefore actually means “whether”, or if it is an obligation to specifically address cross-border transfers and to state their presumed impact. This requires clarification.
A further issue is what “reasonably foreseeable privacy implications” means. Presumably all of the measures that are put in place by an organization are to ensure that there will be no privacy implications where data is transferred to a service provider. The “reasonably foreseeable privacy implications” therefore must be a euphemism for additional risks that flow as a result of the laws of the country of processing. These effects can be that those laws will apply to any independent collection, use and disclosure of personal information by the offshore organization, and that Canadians will have to seek recourse under those laws, which may not offer the same level of protection. It may also be that the personal information of Canadians will be subject to access by state authorities in the service provider’s country without adequate recourse for Canadians. Currently, through guidance, the Commissioner requires organizations to provide specific notice of risks related to cross-border transfers with respect to access to the data by state authorities.Footnote 72 It is to be noted that the language of paragraph 62(2)(d) reflects an explicit choice not to pursue the route of requiring organizations to ensure that there is an adequate level of protection – including with respect to state access to data – in the destination country. This leaves Canadians vulnerable. Even if the CPPA does not contain a state-level adequacy regime, organizations that engage offshore service providers in the collection, use or disclosure of personal data of Canadians should bear some responsibility for assessing the adequacy of the data protection regime in the country of destination.
Finally, the obligation in paragraph 62(2)(d) seems simply to make information available as to “whether or not” cross border transfers take place and “whether or not” they may have reasonably foreseeable privacy implications. If there are reasonably foreseeable privacy implications, true transparency would require that considerably more information be provided, including the country or countries in which service providers are located. Further, if service providers are to engage directly in the collection and use of personal data, the identity of those service providers should be disclosed, as well as information about the possibility that the service provider engages in these activities and that the service provider, and not the organization, is considered to be accountable for data in these circumstances.
The inclusion of “interprovincial” in paragraph 62(2)(d) is odd, since the focus of this provisions seems clearly to be on the data protection regimes of foreign countries. Another province will either be bound by the CPPA, or by a private sector data protection law that has been found to be substantially similar to the CPPA. Any law enforcement or national security access to the data will presumably be the same as that which can occur under PIPEDA. Unless there is a reason to include ‘interprovincial’ in paragraph 62(2)(d) – and any such reason should be clear – it muddies the waters and should be removed.
The significance and complexity of cross-border data flows and the growing involvement of small and medium sized enterprises is such that they must be addressed in a specific dedicated section of the statute so that rights and obligations are clear and accessible. This will also serve to make express the fact that the law applies to cross-border data flows. Such a section should contain a version of s. 11 of CPPA reworked to specifically address the context of cross-border transfers.
The changing nature of cross border data flows requires language that clearly reflects these changes. It is therefore recommended that the terms used to describe the actors in cross-border data flows be clear and distinct, and that they be directly related to roles/responsibilities with respect to personal data. This approach will inherently recognize that, for example, an organization may be a processor for some functions and a controller for others.
The CPPA is meant to apply to a broad range of actions (collection, use and disclosure) with respect to data by both organizations and service providers. Some provisions, however, use the terms “transfer” and “transferred data” which do not adequately reflect this broad scope. As a result, there is uncertainty as to the application of these provisions in some circumstances. These provisions should be reviewed and reworded. See, in particular: s. 7(2), s. 11(1), s. 11(2), s. 19, s. 62(2)(d).
The definition of “service provider” expressly contemplates sub-contracting. The law should make it clear that in a sub-contracting situation, the organization/controller remains ultimately accountable for the personal data.
If organizations are meant to be accountable for what happens to personal data in the hands of a subcontractor, the CPPA should provide that a contractor cannot subcontract personal data services without the consent of the organization/controller.
Offshore service providers should not be able to avail themselves of the “business activities” exception to notice and consent in paragraph 18(2)(e) when they engage in the collection and use of data on their own behalf.
Currently, s. 11(1) of the CPPA places an onus on organizations transferring data to service providers to ensure appropriate protection “by contract or otherwise.” Specific tools should be enumerated in the legislation to enable organizations to ensure that “substantially the same protection of personal information” is provided for in contracts involving cross-border transfers of data. These should include standard contractual clauses prescribed by regulations, or non-mandatory contractual clauses developed by the OPC in consultation with stakeholders. Another option is a list of considerations that must be taken into account in drafting contractual clauses.
Nothing in the CPPA is specific as to what “or otherwise” in s. 11(1) might entail. The CPPA should be amended to clearly state that the Codes of Practice and Certification Program provisions can be used to establish “substantially the same protection of personal information” in the context of cross-border data flows. In addition, the law should include options that respond to the reference to “or otherwise,” such as binding corporate rules or schemes.
Currently subsection 11(2) provides that service providers are directly accountable under the CPPA for any of the transferred personal information that the service provider collects, uses, or discloses for its own purposes. This accountability should not be limited to information that is transferred to it, but should also include information that it collects, uses and discloses on its own account in relation to the customers of the organization.
Section 11 should be amended to make it clear that service providers must provide substantially the same protection as the organization is required to provide for all personal information under their control, whether it is transferred to the service provider by the organization or whether the service provider collects, uses or discloses it on behalf of the organization.
The CPPA contemplates that a service provider may collect personal information on behalf of an organization. It should be amended to clarify that where service providers provide information to organizations that may have been collected by the service provider prior to the particular relationship, the organization must ensure that the information was collected in a manner consistent with Canadian data protection law.
Section 61 imposes an obligation on service providers to give notice of data breaches to organization-controllers. In the case of offshore service providers, it is not clear how this obligation is enforceable. The CPPA should be amended to provide that in the case of offshore providers, the obligation to provide notice to the organization/controller must be part of their contractual arrangements.
The ‘transparency’ requirement in paragraph 62(2)(d) is currently inadequate. It should be amended to achieve the following:
- The ambiguity around the phrase “whether or not” should be corrected, as well as the uncertainty around what acts have “reasonably foreseeable privacy implications.”
- Organizations should be required to provide information about whether they carry out any international transfer or disclosure of personal information, and to provide sufficient details about these activities to enable individuals to understand the implications for their rights and to hold organizations and/or service providers to account. This should include the country or countries in which service providers are located.
- Organizations should be required to provide specific notice of any risks regarding access to personal data by the authorities of the service provider’s country.
- Where service providers collect and use data for their own purposes, organizations should be required to disclose the identity of the service provider as well as the fact that the service provider, and not the organization, is accountable for this personal data.
Bill C-11 should include a provision that requires organizations to assess whether a contract with a service provider will maintain substantially the same protection as afforded by the CPPA, taking into account the legal data protection regime in place in the country of a service provider that will be collecting, using or disclosing personal data on their behalf.
To enhance the protection of the rights of Canadians in the context of cross border data flows, to ensure that Canada meets the standards set in Convention 108+, and to permit Canada to accede to Convention 108+, the CPPA should be amended to provide that
- The Commissioner may request an organization to demonstrate the effectiveness of any safeguards put in place to govern data transfers;
- The Commissioner be specifically empowered to prohibit, suspend, or place conditions on, offshore transfers of data where substantially similar protection is not in place.
- Date modified: