Transfers of Data
When an organization transfers personal information to a third-party service provider (ie, who acts on behalf of the transferring organization — although Canadian legislation does not use these terms, the transferring organization would be the “controller” in GDPR parlance, and the service provider would be a “processor”), the transferring organization remains accountable for the protection of that personal information and ensuring compliance with the applicable legislation, using contractual or other means. In particular, the transferring organization is responsible for ensuring (again, using contractual or other means) that the third party service provider appropriately safeguards the data, and would also be required under the notice and openness/transparency provisions to reference the use of third-party service providers in and outside of Canada in their privacy policies and procedures.
These concepts apply whether the party receiving the personal information is inside or outside Canada. Transferring personal information outside of Canada for storage or processing is generally permitted so long as the requirements discussed above are addressed, and the transferring party notifies individuals that their information may be transferred outside of Canada and may be subject to access by foreign governments, courts, law enforcement or regulatory agencies. This notice is typically provided through the transferring party’s privacy policies.
With respect to the use of foreign service providers, PIPA Alberta specifically requires a transferring organization to include the following information in its privacy policies and procedures:
- The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and
- The purposes for which the third party service provider outside Canada has been authorized to collect, use or disclose personal information for or on behalf of the organization
Under PIPA Alberta, specific notice must also be provided at the time of collection or transfer of the personal information and must specify:
- The way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and
- The name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
In addition, under the Quebec Privacy Act, an organization must take reasonable steps to ensure that personal information transferred to service providers outside Quebec will not be used for other purposes and will not be communicated to third parties without consent (except under certain exceptions prescribed in the Act). The Quebec Privacy Act also specifically provides that the organization must refuse to transfer personal information outside Quebec where it does not believe that the information will receive such protection.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require all organizations, before transferring personal information outside of the province of Quebec, to conduct data privacy assessments and enact appropriate contractual safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise) and the applicable privacy regime of the jurisdiction of transfer. Quebec has decided not to implement a system of adequacy decisions, and therefore assessments will likely be required prior to any cross-jurisdiction transfer.