In the wake of case summaries numbers 313, 333 and 365, the Office of the Privacy Commissioner of Canada (“OPCC”) published another case summary, dated September 19, 2008, on outsourcing services abroad – PIPEDA Case Summary Number 394.
Two individuals filed a complaint before the OPCC over the transfer of the canada.com email service, operated by CanWest Publishing Inc., to the United States.
The findings of the OPCC investigation can be summarized as follows:
- PIPEDA does not prohibit organizations from outsourcing their operations across international borders;
- It is important for organizations to assess the risks that could jeopardize the security and confidentiality of customer personal information (“PI”) when it is transferred to foreign- based third-party service providers. The measures by which PI is protected must be formalized by using contractual or other means;
- No contractual provision can override the laws of a country to which the information could be subject once it has been transferred;
- Organizations must be transparent about their PI handling practices. A company in Canada that outsources personal information processing to a company that operates in another country should notify its customers that the information may be available to the government of that country or its agencies under a lawful order made in that country; and
- With regard to the issue of customer consent, the Office has taken the position that the sharing of information with a thirdparty service provider constitutes a “use” for the purposes of the Act. The original consent to use the PI will therefore, in principle, apply to the subcontractor’s use of the PI.
To anyone who is familiar with OPCC decisions, the Office’s findings in summary case number 394 will come as no surprise. The OPCC uses this case summary to formally reiterate the conclusions reached in its other decisions – numbers 313 and 365 – by referring to them specifically.
Some questions remain, however: Can the OPCC decisions be transposed in their entirety to Québec? Can the same approach apply under Québec PI legislation in both the public and private sectors? We are specifically referring here to the provisions that were “remodelled” in the 2006 amendments to sections 67.2 and 70.1 of the Act respecting access to documents held by public bodies and the protection of personal information (the “Access Act”) and to sections 17 and 20 of the Act respecting the protection of personal information in the private sector (the “Private Sector Act”).
Remember first that, while PIPEDA qualifies the outsourcing of services as a “use” of PI in respect of which the consent of the person concerned was obtained, Québec law sees this instead as a “communication” (disclosure) of information. But this communication does enjoy one exemption from the principle of consent.
The Commission d’accès à l’information also made some significant comments in an inquiry report in Deschesnes v. Groupe Jean Coutu, (2000) C.A.I. 210, that reinforce section 20 of the Private Sector Act. The decision specifies that mandataries (agents) may access an individual’s PI without his or her consent if the following requirements are met:
a) The contract between the enterprise and the mandatary is in writing;
b) The contract specifies:
- The scope of the mandate;
- The purposes for which the mandatary (agent) will use the information (the object of the file); and
- The category of individuals who would have access to the information.
These requirements, which were added to section 20 of the Private Sector Act following the Groupe Jean Coutu decision, should apply mutatis mutandis, to contracts of enterprise or for services.
As for the public sector, section 67.2 of the Access Act specifies the “minimum” contents of a written contract between the principal and its subcontractors. Such a contract must contain specific confidentiality provisions, including the possibility of demanding confidentiality undertakings from individuals who will have access to the PI.
And now, we need to focus on to the scope of section 17 of the Private Sector Act and section 70.1 of the Access Act.
The consequences of these reworded sections are not clear.
If these provisions are interpreted narrowly, before the communication of PI outside Québec can be authorized (the goal here being not only to prevent the communication of this data to foreign countries, but to cover the communication of data to other Canadian provinces… like Ontario, where many Québec enterprises routinely do business), the question to answer is whether the laws of the “foreign territory” must be examined in detail to determine if the legislative protection is sufficient (or at the very least equivalent) compared to that afforded under section 17 of the Private Sector Act or section 70.1 of the Access Act. CanWest raised an argument in that respect before the OPCC in case summary 394:
“While it is within the power of an organization to set forth contractual and operational controls on the treatment of personal information by its service providers, it is unreasonable to expect organizations to conduct exhaustive surveys of data access statutes in every jurisdiction in which they process or store data and make a determination whether or not those statutes put the data at greater risk than they would if situate (sic) in Canada. We submit that such a standard goes beyond the spirit and intent of PIPEDA, particularly the reasonableness standard set forth in Section 3.”
Another interpretation, to which we have already subscribed in the past, maintains that the contractual protections set out in an agreement reached between a principal and its subcontractors may be deemed sufficient to ensure compliance with the requirements of section 17 of the Private Sector Act and section 70.1 of the Access Act, and may thus authorize the communication of PI abroad, provided that the receiving organization or foreign body applies, or agrees to apply, protections similar to those prevalent in Québec. This should in all cases be done in writing.
True, contractual protections cannot take precedence over the legislative (or regulatory) provisions of foreign jurisdictions. This, however, is a legal and practical reality that is recognized in case summaries numbers 313, 333, 365 and 394 of the OPCC.
In the absence of further particulars from the Commission d’accès à l’information on the scope of the interdiction set out in section 17 of the Private Sector Act and section 70.1 of the Access Act, it would seem clear that the same degree of legal and practical realism should apply where the provisions of Québec legislation are concerned: the amendments to section 17 of the Private Sector Act and section 70.1 of the Access Act surely were not intended to prevent Québec enterprises or bodies from outsourcing their services (even if that includes communicating PI outside Québec), provided that clear and open measures are taken to ensure the protection of the PI entrusted to subcontractors… subject, however, to the application of foreign legislation.
That said, the OPCC’s finding in summary case number 394, in which the Office stresses that it is important for organizations to assess the risks that could jeopardize the security and confidentiality of customers' PI when this data is transferred to foreign-based third party service suppliers established abroad, will modulate the requirements that the Commission d’accès à l’information will “impose” on enterprises or bodies under section 17 of the Access Act or section 70.1 of the Private Sector Act. The communication of PI to Ontario or the United States, within the framework of specific contractual undertakings, should not be treated in the same manner as PI communicated to “jurisdictions” where the legal system is somewhat more “questionable” and where it would be more difficult, if not impossible, to obtain appropriate remedies to ensure the compliance and sanction of contractual undertakings.