Tuesday, February 22, 2022

Video: Cross-border data flows for Canada

New on my YouTube Channel.

In today's video, I am going to talk about the mosaic of privacy laws that we have in Canada and what they have to say about cross border data transfers.

First, I will talk about public sector privacy laws with two particular examples coming from British Columbia and Nova Scotia.

Then I would be talking about Canada’s private sector privacy laws, in particular PIPEDA and the substantially similar laws in Alberta and British Columbia. I will also briefly discuss the new Quebec privacy statute.

Finally, I will touch on various provincial health privacy laws that also have provisions that relate to cross border data flows

What Canadian privacy laws

Canada is a federal country and jurisdiction as it relates to privacy is divided between the provinces and the federal government.

We also have three general varieties of privacy laws:

Those that regulate the collection, use and disclosure of personal information by the public sector – which includes governments, government agencies and other organizations like universities and school boards.

We have a separate category of privacy laws that regulate the private, non-government sector.

Because healthcare in Canada is a mix of public and private, a number of provinces have developed health privacy laws to ensure uniform treatment of personal health information regardless of whether it’s at a doctor’s office or in a hospital.

Public sector privacy laws

One area in Canada that does not have any gaps in privacy regulation is the public sector. Each federal, provincial and territorial jurisdiction has a public sector privacy law that regulates the collection, use and disclosure of personal information by government and government agencies.

One thing that they all have in common is an obligation to protect and safeguard all personal information against a range of risks, including unauthorized disclosure. Very few of them directly address cross border data flows.

Privacy Act

In the federal jurisdiction, we have the privacy act which regulates federal government institutions.

The privacy act does not address cross border transfers or disclosures of personal information.

Instead, the federal treasury board has created guidelines regarding outsourcing that effects personal information.

These guidelines do not prohibit this storage of personal information outside of Canada, but instead impose an assessment to determine whether in the circumstances it is appropriate to use a particular service that may result in personal information being stored outside of Canada or accessed from outside of Canada.

FIPPA (British Columbia)

In 2004, the British Columbia Freedom of Information and Protection of Privacy Act was amended to essentially prohibit the province’s government from allowing personal information to be stored outside of Canada or accessed from outside of Canada.

This was because of a large-scale union campaign that latched onto privacy and fear of the USA PATRIOT Act to oppose government outsourcing of IT services.

These prohibitions were finally removed in 2021, likely driven by the need of governments, universities and school boards to use more modern cloud technologies to support work from home during the pandemic.

The replacement provisions anticipate the government to pass regulations about cross-border data transfers, but we have not seen those yet.

PIIDPA (Nova Scotia)

In 2006, Nova Scotia followed British Columbia in strictly limiting cross-border data flows when it passed the Personal Information International Disclosure Protection Act, also known as “PIIDPA”.

What PIIDPA contains is a general prohibition against storage or access outside of Canada for public bodies in Nova Scotia. This includes public bodies in the health sector.

PIIDPA is not as draconian as the British Columbia law because it does permit the “head of the public body” to authorize the storage or access outside of Canada if it is for the public body’s necessary operations.

The public body also has to make a report of the decision to the minister of justice, which is then made public.

PIIDPA also imposes specific obligations on all service providers of public bodies.

Foreign demands for disclosure

The most significant – but maybe less known – obligation imposed on service providers relates to “foreign demands for disclosure”. These are warrants, subpoenas and court orders by a foreign authority for records, as long as there is a penalty for non-compliance.

It is unlawful for a service provider to provide the data, and the public body or its service provider must give written notice of the demand to the Nova Scotia Minister of Justice.

Then what? I don’t know. Presumably there would be some government-to-government communications.

Foreign demands under other laws

Every privacy law in Canada permits disclosures without consent where the disclosure is required by law. Some include examples like warrants, subpoenas, litigation document discovery and the like.

None of them specify “where required by CANADIAN law”, but that is a reasonable presumption.

These laws, other than PIIDPA, don’t make it an offense but it would still not be permitted.

But at the same time, the Office of the Privacy Commissioner of Canada has been clear that if information is stored outside of Canada, it becomes subject to the laws of the place where it is stored. That’s a risk that needs to be taken into account in any contracting decision.

Private sector privacy laws

For most of the private sector in Canada, there are no rules that prohibit cross-border data transfers but there are rules that come into play.

Each private sector privacy law requires that the original “controller” makes sure that there are adequate safeguards to protect personal information.

The original controller has to use contractual terms to make sure that any contractors implement those safeguards.

Jurisdiction may affect whether safeguards can be adequately assured.

Disclosures by the organization or its contractors in response to a “foreign demand for disclosure” may be unlawful. Any organization dealing with something like this should immediately seek experienced legal advice.

Alberta’s Personal Information Protection Act

Alberta’s Personal Information Protection Act specifically addresses giving people notice about cross-border data transfers.

Specifically, the law requires policies and procedures that include the countries in which the collection, use, disclosure or storage is occurring or may occur, and the purposes for which the service provider has been authorized to collect, use or disclose personal information for or on behalf of the organization.

Because this information has to be made available upon request, it should be included in an organization’s public-facing privacy policy.

The Privacy Commissioner of Canada recommends this as well for PIPEDA

Quebec’s Bill 64

In the past year, Quebec has significantly updated its private sector privacy law, including provisions that specifically address cross-border data transfers.

These new provisions come into effect on September 22, 2023.

When the Quebec provisions come into effect, they will require a process similar to a data transfer impact assessment under the European GDPR.

Before storing personal information outside of Quebec, the organization will need to carry out a privacy impact assessment, sometimes referred to as a PIA.

Then the organization will need to carry out an analysis of whether there will be “adequate” protection of the personal information when transferred outside of the province.

Finally, there needs to be a written agreement with the service provider that mitigates any risk identified in the PIA and ensures that personal information will be adequately protected.

Health privacy laws

Health privacy laws are a specific kind of privacy law in Canada, which cross over the private sector (doctors’ offices, pharmacies and physiotherapists) and the public sector (health authorities and public hospitals).

Most health privacy laws in Canada prohibit disclosures of personal health information outside of Canada unless there is consent from the individual. Some similarly prohibit disclosures outside of the province.

But most people who practice in this space, and some regulators I’ve spoken to, say that a transfer for processing is not a disclosure for the purposes of this prohibition.

What’s the reality on the ground?

Many people still believe that cross-border transfers are prohibited in Canada, which is likely the result of the publicity around the prohibitions added to the British Columbia public sector law years ago.

The only province that significantly limits cross-border transfers is Nova Scotia, for the public sector in that province.

We still see requests for proposals from both the public and the private sectors that require data residency in Canada.

When this happens in the public sector, this is likely in violation of international trade agreements.

No comments: