Privacy Advisor

Business Risks of Cross-Border Transfers of Personal Information to the United States

December 1, 2005

Terry McQuay

As a Canadian, ask yourself  these questions:

"Would you like your personal information reviewed by a U.S. law authority, say the FBI?"

"Would you like your purchasing habits, your medical information, your resume, accumulated and accessed by U.S. government agencies?"

If these questions make you feel uneasy, you are not alone. According to a survey, published in June 2005, and conducted by EKOS Research Associates on behalf of the Privacy Commissioner of Canada, 64 percent of Canadians have serious concerns about companies transferring their personal information to the U.S.

So, as a Canadian, ask yourself this question:

"Should an organization be obligated to tell you when your personal information is going to be transferred to the U.S.?"

Or go even further:

"Should an organization obtain your consent before transferring your information to the U.S.?"

If you answered yes, you are not alone. The same EKOS survey found that 73 percent of Canadians thought it was of high importance that organizations inform them prior to transferring their information to the U.S. But the highest percentage, 84 percent, wanted an organization to obtain their consent prior to transferring their information to a foreign country, including the U.S.

The Office of the Privacy Commissioner of Canada has stated repeatedly, at the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country. In fact, if you are an individual residing in British Columbia, Canadian or non-Canadian, you have legislative protection that the personal information you provide the BC government will not be accessible by U.S. law authorities. This law, a privacy law called Freedom of Information and Protection of Privacy Act ("FOIPPA"), extends to all BC government agencies and their third-party suppliers.

Business Risk
Businesses in Canada are looking at this issue seriously. Mainly because:

Companies that provide outsourcing services to a BC government agency, or in many cases any Canadian or provincial agency, must locate outsourced personal information in Canada and takes steps to ensure it cannot be compelled to release the information to the U.S. government authority;

Outsourcing firms that provide services to risk-averse industries, say banking and insurance, are receiving pressure from their customers to keep data in Canada;

All companies that transfer personal information to the U.S., either to their head office, to an affiliate, or through an outsourcing relationship, must answer the question: "What are our business risks related to transferring personal information to the U.S.?"

Some examples of the impact this issue has had on Nymity's customers include:

Moving data centers from U.S. locations to Canada;

Changing ownership of the Canadian subsidiary from U.S. to UK, such that U.S. officers could not compel the company to disclose information residing in Canada to U.S. authorities;

A U.S.-based firm not bidding on a contract, as it would be cost-prohibitive to move their data center to Canada, in keeping with contract requirements;

Winning a $14 million contract because their data center is in Canada;

Creating sales and marketing strategies to capitalize on the fact that they are a Canadian company and all information resides in Canada;

The Canadian subsidiary of a U.S.-owned company creating a datasheet to explain why the USA Patriot Act does not apply as their Canadian operations are completely independent and out of the reach of the U.S. head office;

Changing privacy policies in hopes that providing notice to consumers of their practices related to cross-border transfers of personal information will make them compliant with privacy laws in Canada;

Conducting audits of their service providers to ensure they are not using U.S.-linked sub-contractors;

Updating contracts with service providers; and

Updating customer contracts to provide notice of any cross-border transfers of personal information.

USA Patriot Act
Why are business risks increasing? The business risk associated with the transfer of personal information did not result from the EKOS survey or customer concerns. The risks are the direct result of the increased visibility and concerns related to the USA Patriot Act in Canada. The Act provides U.S. authorities unfettered access to any personal information held by U.S. firms, whether it is on U.S. citizens, Canadians, or ayone.

At first, the corporate concerns centered on compliance with privacy laws in Canada, mostly the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Canada's federal private-sector privacy legislation. PIPEDA governs all cross-border transfers of customer personal information by corporate Canada. Corporate Canada was concerned that the USA Patriot Act conflicted with the PIPEDA and their business practices could be found non-compliant with privacy laws in Canada. The question asked was:

"Does transferring personal information to the U.S. put our organization on the wrong side of privacy laws in Canada?"

The answer is not that straightforward. The answer, in pseudo-legal terms is, "It Depends." If you are subject to BC's privacy law, FOIPPA, then yes, your organization would be found non-compliant and potentially subject to large penalties. As for Canada's privacy law PIPEDA, it is unclear. Many experts believe there are exemption provisions in PIPEDA that would allow for disclosures to U.S. law authorities.
Should corporate Canada be concerned? Yes, as the liabilities go beyond the impact of non-compliance with privacy laws in Canada. The liabilities could include loss of contracts and reputations could be damaged from the unwanted media attention.

How does an organization mitigate risk associated with transferring personal information to the U.S.? Understand the risks, get legal advice, and as always, take direction from the regulators — the privacy commissioners in Canada.

Implementing Recommendations from the Privacy Commissioner of Canada
The Office of the Privacy Commissioner of Canada is the regulatory body that provides oversight for PIPEDA, the law that governs all customer personal information transferred to the U.S. by corporate Canada. In a paper from the federal privacy commissioner to a provincial privacy commissioner, the federal commissioner stated:

"At the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the U.S. government or its agencies under a awful order made in that country."

This was considered by many organizations as instructive guidance on complying with PIPEDA.

One of Nymity's customers, a Canadian bank, implemented this recommendation and provided notice to their customers that their personal information will be transferred to the U.S., and thus subject to U.S. law authorities. The notice stated:

"I acknowledge that in the event that a Service Provider is located in the United States, my information may be processed and stored in the United States and that United States governments, courts or law enforcement or regulatory agencies may be able to obtain disclosure of my information through the laws of the United States....

I acknowledge and agree that the ... paragraphs above constitute prior written notice to me of, and my consent to the collection, use and disclosure of my personal information as described above...."
Implementing the commissioner's recommendations, quite ironically, found the bank subject to customer complaints and a commissioner's investigation. The complaints gained media attention, in fact, so much attention, that the complaints became public knowledge, and became one of the rare cases in which a company's name was associated with a complaint.

In October 2005, the commissioner's office published the finding related to the complaints, and it was no surprise that the bank that had followed the commissioner's recommendations was found to be compliant, and the complaints were therefore not well-founded. The finding stated:

"The bank took the appropriate step of being transparent about its practices of using a U.S.-based third-party service provider for processing and about the possible risk that customer personal information might be lawfully accessed by U.S. authorities."

So, at least from the commissioner's office perceptive, the bank was compliant with PIPEDA and now corporate Canada has further instructions on how to be onside with PIPEDA when transferring personal information to the US. In fact, the commissioner's office stated that the bank did not need to get consent, notice would have been sufficient, as the consent created the impression that a customer could opt-out of having their information transferred to the U.S.

What does the commissioner recommend? Obviously, comply with PIPEDA, which states:

"Principle 4.1.3 of Schedule 1 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.8 provides that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
To comply, the finding states:

"What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means."

Simple enough, but will implementing these measures mitigate the risks associated with transferring customer information to the U.S.? Possibly, from a compliance with PIPEDA standpoint. But does providing notice result in different business risks?

Is providing notice reducing business risk or increasing risk? If you, as a Canadian consumer, had to make a choice between two organizations, all other things being equal, wouldn't you choose the organization that maintained the data "out of harm's way"of the U.S. authorities?

Providing notice seems to at least create more questions, but what about business risk? Clearly, in the bank's case above, the unwanted media attention had a cost, including an impact on its reputation. In speaking with the bank, they indicated that doing the right thing is most important, and if they had to do the same thing over again, they would. But, have we seen other financial institutions providing notice? Actually, yes, but often in less "noticeable" ways, like changing the organization's privacy policy.

Providing notice about the transfer of personal information across national borders complies with privacy laws. However, such notice may have business implications that should be identified and assessed. In light of the foregoing, organizations should methods of providing notice (re: transfers to the U.S.) that are most appropriate for them. For example, some organizations may choose to provide notice in their privacy policies (as prescribed by Nymity's National Privacy Policy Index), while other organizations may choose to provide notice by way of a flyers, brochures, contracts, or letters.

Terry McQuay is president of Nymity, Inc., based in Toronto, Ontario. Nymity provides research, education and support services for privacy professionals tasked with providing privacy expertise to corporations and not-for-profit organizations with operations in the U.S. and Canada. For more information visit www.nymity.com. McQuay can be reached at +416.214.7838 or by email at terry.mcquay@nymity.com.