A Canadian company with a database of customer information including names, email addresses and account information, wants to find a service provider to handle the information. A US company seems to provide the best solution and so the Canadian company hires the US provider to host, manage and handle all of the customer data. What should the Canadian company be aware of? Do privacy laws apply?

The trans-border outsourcing of personal-information is becoming more common and requires an awareness of privacy law implications. The easy answer is yes, privacy laws apply. The more complex question is which privacy laws apply?

Canadian privacy laws and recent decisions by Privacy Commissioners at both the federal and provincial level make it clear that companies are responsible for ensuring that they maintain contractual control over personal information handling practices by external service providers. The trans-border nature of the data flow does not mean that Canadian laws won’t apply or that Canadian companies can simply opt out of Canadian jurisdiction. In fact, the Federal Court has recently decided that the Privacy Commissioner can and should investigate complaints relating to the trans-border flow of personal information.

The outsourcing of services to the US raises concerns about the US Government’s ability to access that information under the USA PATRIOT Act. In a 2005 investigation into the outsourcing of financial services to the US, the Privacy Commissioner of Canada noted that:

“[T]he Act cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means.”

In a 2006 decision involving a Canadian security company’s handling of personal information by its U.S.-based parent company, the Commissioner was satisfied that the outsourcing of personal information was handled appropriately. The company informed its customers of the practice and permitted customers to opt-out of the outsourcing. The fact that the disclosure was between parent-subsidiary relationship meant that the personal information was not technically disclosed to a third-party, and these factors resulted in the Commissioner approving the handling of personal information in this case.

Careful management of the privacy issues allows Canadian businesses to handle outsourcing and reduce the risks of a customer complaint or investigation by the Commissioner.

 

Calgary – 10:25 MST