Fact Sheets

What Canadians Can Do to Protect Their Personal Information Transferred Across Borders

Canadians benefit from a reasonable standard of protection of their personal information. They do not want to see that protection vanish when personal information about them is transferred across borders, and they do not want to see governments or organizations in Canada transfer their information across borders if it will be put at risk of inappropriate disclosure, whether for security or for commercial purposes.

The extent to which personal information about Canadians should be made available to foreign governments is a complex issue of continuing concern. Nonetheless, Canadians can take some measures to protect their personal information from inappropriate disclosure to foreign governments:

  • By bringing complaints about the handling of personal information (especially outsourcing arrangements) to the Office of the Privacy Commissioner of Canada or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern;
  • By relying on the "whistle blowing" provisions of PIPEDA if a US based affiliate of a Canadian organization seeks to reach into Canada to obtain personal information held in a Canadian database in order to comply with a US legal order. These provisions would protect the confidentiality of employees who notify the Privacy Commissioner of Canada that a company intends to transfer information abroad in violation of PIPEDA. The provisions also protect employees against retaliation by the employers, such as harassment, dismissal or demotion;
  • By letting organizations in Canada that collect personal information about Canadians know that there is a concern about personal information being processed outside Canada;
  • By taking advantage of the information rights existing under PIPEDA and provincial private sector statutes which require organizations to follow fair information practices, notably obtaining consent for information use;
  • By reminding companies in Canada of their legal obligation to introduce appropriate security measures to prevent their subsidiaries or affiliates in another country from secretly obtaining access to personal information held in Canada to comply with a court order made in the foreign country;
  • By raising their concerns about the potential for excessive disclosure of personal information to foreign governments or to foreign companies with their elected representatives; and
  • Generally, by being more attentive to what may be happening to their personal information when it crosses borders and to the importance of clear and enforceable international standards on information sharing in democratic countries.

What Companies Do to Protect the Personal Information of Canadians Transferred Across Borders

Companies that are subject to PIPEDA or similar provincial legislation must comply with that legislation. It is important for the management of organizations subject to such laws to understand their responsibilities under the laws — for example, the obligations in PIPEDA to ensure the security of personal information. PIPEDA requires personal information to be protected by security safeguards appropriate to the sensitivity of the information.

Corporate leaders increasingly recognize that maintaining a high level of public trust in how personal information is handled is vital to achieve customer loyalty. It is also abundantly clear to corporate leaders that personal information holdings are key business assets that need to be protected against misuse.