Focus on Canada: Cross-Border Data Privacy in the Crosshairs
 

Canadian companies are keeping an eye on data privacy policies that could affect their use of foreign-based cloud services and data processors — particularly in the U.S. Recent decisions regarding data residency are beginning to cascade at the at the national, provincial and international levels. Also known as data localization, these measures could require Canadians’ personal information to be processed and stored only in Canada.

Cross-border data flow has been on Canada’s policy agenda for years, whether it involves the U.S. or other trading partners. But data flow with the U.S. has become more of a priority due to the rising influence of Big Tech, growing consumer data privacy concerns and the ongoing repercussions of the U.S. surveillance and data collection provisions in the Patriot Act.

This summer, the adequacy of U.S. data protections came into question again, when Europe’s top court invalidated the Privacy Shield, an arrangement for European Union-U.S. data transfers. As the EU and U.S. negotiate a replacement, legal observers have suggested that the ruling could have a knock-on effect in other countries including Canada.[1] A case in point is Israel, where the Israeli Privacy Protection Authority declared in September that it would also need to find new mechanisms for data transfers to the U.S.[2]

Cognizant of these concerns, multinational cloud service providers including Mimecast have been setting up hubs in Canada and other countries to give their business customers more options for routing and storing corporate email, customer information and other data.

Canada’s Data Residency Rules and Proposals

Average Canadians are also concerned about the transfer of their personal information outside the country — at least according to 75% of the British Columbians who responded to a data privacy poll.[3] And 81% of Canadian companies say that protecting their customers’ personal information is important — up from 62% in 2011.[4]

Broad new data privacy laws proposed by Ottawa and the provinces may finally address these issues, including some of the questions regarding Canadian data storage in the U.S. and other countries, although this will likely take months. In the meantime, companies remain uncertain about how to run some of their most critical operations. Here are five key developments that will influence the outcome:

• Federal Actions: Canada’s Office of the Privacy Commissioner (OPC) recently issued and then rescinded a requirement that companies get express consent for the transfer of personal information to service providers outside of Canada.[5] The OPC has stressed that companies should inform their customers whenever their information might be processed in a foreign country, where it could be accessed by law enforcement and national security authorities. The matter of data residency is also being discussed as part of a rewrite of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
• Proposed Legislation in Quebec: Quebec recently proposed a new data privacy bill that requires companies to conduct a privacy impact assessment before sending personal information outside the province to be processed.
• BC Initiatives: In contrast, British Columbia, which requires provincial agencies to store all personal data in Canada, temporarily loosened this restriction due to COVID-19. More generally, though, BC is updating its data privacy law, a process that includes consulting with the public about data residency requirements and related issues.[6]
• Corporate Pushback: Groups such as the Business Council of Canada and the Investment Industry Association of Canada (IIAC) have argued against Canadian data residency requirements. Even introducing new disclosure and consent requirements for using third-party processors overseas would be unworkable and ineffective, the IIAC said. To explain why such measures would be unworkable, the IIAC cited the vast amount of client data required for investment management, including personal identification, banking information, lists of assets, liabilities, taxes, details about family members and more.
• The New North American Trade Agreement: Cross-border data flow is also addressed by the Canada-U.S.-Mexico Agreement (CUSMA). The 2018 pact, which replaces the North American Free Trade Agreement (NAFTA), went into effect on July 1 and states that, “No party shall prohibit or restrict the cross-border transfer of information.”[7] But there’s room for differing interpretations. For example, the Organization for Economic Cooperation and Development (OECD) points out that the agreement also includes provisions for national governments to protect the personal information of any parties engaged in digital trade. In addition, the OECD notes that there are now more than 200 data protection regulations relating to data transfers and local storage requirements worldwide. “Governments are updating data-related regulations and increasingly conditioning the transfer of data across borders or requiring that data be stored locally,” the organization wrote.[8]

Amid these and other forthcoming changes to cross-border data privacy regulation, British Columbia Privacy Commissioner Michael McEvoy co-authored an article that provides advice on protecting personal information and minimizing the legal, financial and operational risks companies might face for non-compliance. “For businesses engaged in Canada-U.S. cross-border transactions,” he explains, “understanding the laws and regulations on both sides of the border and having an appropriate cybersecurity compliance program in place are imperative.”[9]

The Bottom Line

Given the national, provincial and international debates now taking place over data privacy, cross-border data flows between Canada and the U.S. are increasingly under scrutiny. This has led Canadian companies to keep a close eye on the many developments that could affect the way they handle their business’s essential data.

[1] “The End of the ‘Privacy Shield’ Is an Opportunity for Canadian Business,” Lawson Lundell LLP

[2] “Israeli Privacy Protection Authority Declares Privacy Shield Inadequate,” Geneva Internet Platform

[3] “British Columbians Want Action on Privacy Protection,” BC Freedom of Information and Privacy Association

[4] “2019-20 Survey of Canadian Businesses on Privacy-Related Issues,” Office of the Privacy Commissioner of Canada

[5] “Bank Ensures Openness and Comparable Protection for Personal Information Transferred to Third Party,” Office of the Privacy Commissioner of Canada

[6] Speech by Michael McEvoy, Information and Privacy Commissioner for British Columbia

[7] “As New NAFTA Takes Effect, Much Remains Undone,” New York Times

[8] “Trade and Cross-Border Data Flows,” Organization for Economic Cooperation and Development

[9] “Critical Cybersecurity Compliance Issues for Canadian and U.S. Companies Operating Across the Border,” Business Law Today