Ten years ago, when Canada’s private-sector privacy law passed, e-commerce was barely hitting its stride, smartphones were still in their infancy, and hardly anyone outside of IT departments had heard of cloud computing. These days, of course, the world runs on information, with companies constantly using and transmitting data captured from customers and employees. As businesses stake out new markets around the world, those data follow, transferred to, say, a sister company in New York City or a third-party service provider in Bangalore, India.
Canada’s privacy regulators are striving to keep up with the new business landscape, investigating, for example, a web site that outsourced its e-mail operations to a U.S. firm, and a security company’s decision to merge its Canadian and American customer databases. Meanwhile, more and more governments around the world are regulating the use and flow of information, some with omnibus data-protection laws, others with sector-specific requirements.
It’s no surprise, then, to see companies wrestle with diverging and sometimes conflicting privacy and data-protection requirements as they conduct business around the globe. Take Research In Motion Ltd., the Waterloo, Ont.,-based technology giant best known for the BlackBerry. This summer, the United Arab Emirates, Saudi Arabia, and India threatened to block some BlackBerry services unless the company allowed their governments to monitor user messages. RIM’s transferring of data offshore, regulators said, compromised national security. The company eventually agreed to grant authorities access to some data, though details of the arrangements weren’t disclosed to the public.
Privacy experts and smartphone users worldwide followed the negotiations, widely considered to set a new precedent for mobile data protection. While no single decision or ruling has revolutionized the transfer of data across borders so far, each new development adds to the tapestry of regulations and best practices, says Duncan De Chastelain, general counsel for GE Money’s Canadian operations. “It’s a series of decisions that, over time, are sort of building a sense of greater awareness of global data trafficking and what, globally and nationally, are the requisite standards that need to be in place,” he says.
As it is, Canada’s privacy system is “gaining currency worldwide as an excellent model for privacy legislation,” says Adam Kardash, head of Heenan Blaikie LLP’s national privacy and information management group. The federal private-sector law, the Personal Information Protection and Electronic Documents Act, took effect in stages starting in 2001, and shifts the main responsibility for safeguarding data from the consumer to the organization gathering and using the information. PIPEDA forces organizations to obtain consent before collecting, using or disclosing personal information. Quebec, Alberta, and British Columbia each boast their own private-sector privacy laws, deemed “substantially similar” to PIPEDA; some provinces, including Ontario, have a separate health information act, which applies to some private-sector activities.
“Many companies in Canada transfer their data, including personal information, across borders every day of their operations — and generally, they would be permitted to do so under applicable privacy legislation,” says Kardash. “There’s certainly responsibility on the company to ensure that [its] data is safeguarded, and this becomes more difficult as the data of a Canadian company resides with service providers in multiple jurisdictions.” There’s also a lot at stake, he adds. “To the extent that there is a security incident involved, there could be regulatory investigation, there could be potential litigation risk, and there could be adverse public relations associated with media exposure.”
As a result, the last decade has seen companies — and their legal departments — increasingly focus on compliance with national and international privacy regulations. Whether a business transfers its personnel records to an affiliate overseas or circulates client account files between international branches, keeping that information secure is a company-wide effort, one that relies heavily on in-house counsel, says De Chastelain. The counsel’s role is, first and foremost, “to be a strategic adviser to the business, with respect to the issue of data flows, both in-country and externally,” he says. “In that regard, what is incumbent on you is to ensure that you have a sense or an awareness — and thereby the business has a sense and awareness — of what data you manage, the nature of that data, and where that data travels, and what would be the legal considerations involved in that.” That means guaranteeing the proper security protocols and consents are in place, and if the company sends data to third-party service providers in other jurisdictions, that all processing agreements include appropriate privacy controls.
Contracts are a key aspect of in-house counsel’s job when it comes to privacy, says Kardash. By now, the industry has developed a checklist of evolving, but relatively standard, provisions for cross-border processing agreements, he says. Organizations will want the right to review or audit a service provider’s operations after the contract is signed, for example, and to the extent possible, they’ll want advance notification if the service provider needs to share personal information with the courts or law enforcement. “You would also include notice in your company’s privacy statement expressly referencing that data may be transferred across borders into the U.S. or other jurisdictions,” he says.
Canadian organizations send data primarily to the U.S., home to many third-party service providers that facilitate or take on various corporate operations, says Theo Ling, a partner at Baker & McKenzie LLP’s Toronto office and chairman of the firm’s global privacy and information management steering committee. And many companies with business throughout North America — or Canadian companies with a strong U.S. presence — are consolidating their servers, boosting the flow of data across the border, he says.
Unlike Canada, which tends to enact umbrella privacy laws, the U.S. has carved up responsibility for privacy matters into different pieces of legislation, each attached to a specific sector or context, Ling says. What’s more, many states have mandatory breach notification laws, meaning companies must alert customers when personal information has been compromised, even if the customer is in Canada.
Similar requirements could soon apply to all Canadian companies, regardless of where they operate. Earlier this year, the Alberta government amended its private-sector privacy laws to include breach-reporting requirements, and similar changes are in the works for PIPEDA. The switch would call attention to an often-neglected aspect of privacy protection; a recent study conducted for the federal privacy commissioner found 42 per cent of Canadian businesses aren’t concerned about security breaches related to customer data. Only a third have concrete procedures to deal with a breach.
From investigating the source of the problem — is there some oversight in privacy procedures or a breakdown in the established controls — to keeping privacy regulators and affected individuals in the loop, in-house counsel play a central role in handling data breaches. Sometimes, the trickiest part is getting everyone in the company on board, says De Chastelain. Counsel shouldn’t “pull a Chicken Little,” he says, but by the same token, they don’t want to delay issuing a statement or notifying customers just because someone in the organization didn’t grasp the sensitive nature of the situation.
For consumers, one of the most worrying aspects of global data transfers remains the possibility that foreign authorities could access their personal information. The issue at the heart of the RIM dispute has also sparked similar complaints in Canada, most famously against Canadian financial institutions outsourcing data processing to U.S. firms. But under Canadian legislation, companies can’t prevent U.S. service providers from responding to lawfully issued subpoenas.
In those situations, it’s up to the organization to show it’s not handing over personal information indiscriminately, says De Chastelain. “Within our business, which is a consumer finance business, we’ll often be called upon by tax authorities, local law enforcement, to provide information around our account holders,” he says. “What we have done as a matter of policy . . . is say, ‘We’re certainly happy to provide you with that information, but it either has to come as the result of a formal production order — that’s a warrant or a court order — or you have to indicate to us what the statutory authority is for your ability to request that information and for us to produce it.’”
As organizations expand across sectors and borders, the need for internal privacy expertise continues to grow. Many organizations are tapping in-house counsel to come up with a global approach to privacy protection. Jeff Green, chief privacy officer for the Royal Bank of Canada, says in-house legal staff helped implement an enterprise-wide privacy program in 2008 to replace a multitude of local privacy programs in more than 50 countries. “We eliminated multiple policies that were all sort of saying the same thing. It’s about efficiency, but the outcome is actually better compliance because it’s easier for employees [to follow the policy].”
The changing nature of technology and business means counsel must ensure a company’s policies and practices keep up with the current privacy norms, says Green. The rise of cloud computing, among others, is set to stir up the privacy landscape in coming years, and could lead to even tighter regulations. “Your people have to stay apprised — they’re interacting with regulators, following up with guidance coming from the privacy office,” he says. “Your business decides to get into a different product line, technology changes, regulators might react to something happening in the environment. . . . There’s always something coming down the road that you have to be prepared for.”