How to Protect and Transfer Employee Personal Information Internationally from Canada

In today’s era of big data, privacy concerns related to employee personal information are continuing to attract public scrutiny. As such, it’s critical for employers to understand their duties and obligations in this regard, especially with respect to companies that have parent corporations based outside of Canada that wish to transfer employee information to a head office location.

This overview will address the protection of employee personal information when being transferred internationally from Canada. It will examine the application and enforcement of legislation, not just at a Federal level, but at a Provincial level for Alberta, British Columbia and Quebec where the Federal legislation may not apply.

The Statutory Framework for Personal Information in Canada

This article concerns the protection of employee personal information when being transferred internationally. Canadian Federal legislation is the primary source of law; however, Provincial legislation may also be applicable.  The Federal legislation is the Personal Information Protection and Electronic Documents Act (“PIPEDA”). It does a number of things:

  • It sets out the ground rules for how private sector organizations collect, use or disclose personal information in the course of commercial activities across Canada;
  • It applies to interprovincial or international transfers of personal information; and
  • It also applies to personal information of employees of federally regulated organizations (but not employees of provincially regulated organizations).

Statutory Interplay and Application

PIPEDA governs the information-handling practices of private-sector organizations everywhere in Canada except Alberta, BC, Québec, and the health-care sectors of Ontario, New Brunswick and Newfoundland and Labrador. Alberta, BC, and Québec all have private-sector legislation which has been declared to be “substantially similar” to PIPEDA. These acts apply if the information is collected, used and disclosed entirely within those Provinces. However, PIPEDA continues to apply to the federally regulated private sector in these Provinces, such as banking and telecommunications.

Different laws in Canada apply to various types of employees in different ways. PIPEDA applies to employee personal information in federally regulated industries such as:

  • Telecommunications;
  • Broadcasting;
  • Interprovincial or international trucking, shipping, railways, or other transportation;
  • Aviation;
  • Banking;
  • Nuclear energy; and
  • Local businesses in Yukon, Nunavut, and the Northwest Territories (where all private sector activity is in federal jurisdiction).

Privacy legislation in BC, Alberta and Québec applies to employee personal information in private sector organizations that fall outside federally regulated industries. However, an interprovincial or international transfer of employee personal information is generally not afforded any statutory protection if the business is not federally regulated. This is regardless of the Province of origination.

In any event, it is generally recommended that employers treat employee personal information with the same protections as if covered under PIPEDA or the Provincial acts.

Cross-Border Transfers of Employee Information

It is generally permissible for an organization to transfer employee personal information to affiliates in the United States and other foreign jurisdictions, provided certain conditions are met. PIPEDA applies to all interprovincial and international transactions involving personal information in the course of commercial activities. PIPEDA does not contain any explicit restriction on transferring information across Provincial or national borders. That being said, organizations remain responsible for meeting their general obligations under PIPEDA when they transfer personal information outside of Canada.

The Federal Privacy Commissioner has issued Guidelines for Transferring Personal Information Across Borders (“Guidelines”). These Guidelines clearly indicate that:

  • PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing;
  • PIPEDA classifies a transfer for processing as a “use” of the information; not disclosure. Assuming the information is being used for the purpose it was originally collected; additional consent for the transfer is not required under PIPEDA.
  • “Processing” is interpreted to include any use of employee information by a third party processor for a purpose for which the transferring organization can use it;
  • The transferring organization is accountable for the information in the hands of the organization to which it has been transferred;
  • Organizations must protect the personal information in the hands of processors. This is primarily accomplished through contract, such as a data protection agreement between the Canadian organization and the foreign affiliate;
  • No contract can override the criminal, national security or any other laws of the country to which the information has been transferred;
  • It is important for organizations to assess the risks that could jeopardize the integrity, security and confidentiality of personal information when it is transferred to third-party service providers operating outside of Canada. Organizations must be transparent about their personal information handling practices. This includes advising employees that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities in that jurisdiction.

Alberta’s Personal Information Protection Act contains the following requirements when information will be transferred to a “service provider” (which includes a parent company, subsidiary or other affiliate which directly or indirectly provides a service for or on behalf of the organization) outside Canada:

  • The organization must have privacy policies that include information regarding the countries outside Canada where the collection, use, disclosure or storage of personal information is occurring or may occur, and the purposes for which the service provider outside Canada has been authorized to collect, use or disclose the personal information.
  • Individuals must be notified of the cross-border transfer of their personal information in advance, including information about how the individual can obtain access to information about the organization’s policies and practices with respect to foreign service providers and the name, position or title of a person who is able to answer questions about the collection, use, disclosure or storage of personal information by service providers outside Canada.

Québec takes the strictest approach to transferring information to foreign entities. Employees must be notified of the location where their personal information will be held. Under An Act respecting the protection of personal information in the private sector (Québec), if an organization communicates personal information outside Québec or entrusts a person outside Québec with the task of holding, using or communicating such information on its behalf, the organization must first take all reasonable steps to ensure that the personal information will not be used for purposes other than the purposes for which it was collected or communicated to the third person (except with the consent of the employee concerned). If the organization cannot ensure that the information will not be misused, then it must refuse to communicate the information or refuse to entrust a person or a body outside Québec with the task of holding, using or communicating the information.

The BC Personal Information Protection Act does not specifically address cross-border transfers of personal information. However, the BC Privacy Commissioner can still consider whether such transfers comply with the general requirements of the BC Act, and whether individuals should be notified regarding:

  • Whether reasonable security measures were implemented;
  • The sensitivity of the information being transferred;
  • The foreseeability of privacy breaches and the resulting harm; and
  • Generally accepted practices in a particular sector or with respect to a particular activity.

Finally, organizations should be aware that certain sectors may be subject to additional regulatory regimes. The Bank Act, Trust and Loan Companies Act, Co-operative Credit Associates Act and Insurance Companies Act each contain provisions applicable to transferring information outside of Canada. Public sector legislation often prohibits a public body from transferring or disclosing personal information outside Canada.

International laws may also need to be considered, such as the OECD (The Organization for Economic Cooperation and Development) Guidelines and the European Data Protection Directive.

Enforcement

Section 16 of PIPEDA specifies remedies that the Federal Court can apply where it finds the Act has been infringed. These include:

  • An order that the organization correct its practices;
  • An order that the organization publish a notice of any actions taken or proposed to be taken to correct its practices, whether ordered by the Court or not; and
  • An award of damages, which can include damages for any humiliation caused to the complainant. While there are no express limits on the amount of damages, to date, damages awarded under PIPEDA have been quite modest.

BC, Alberta and Québec privacy legislation provide similar remedies to complainants. Under Alberta and BC privacy legislation, the applicable provincial privacy commissioner has the power, following an investigation, to direct the organization to remedy the situation. These orders are enforceable in court and may form the basis for civil actions. In Québec, orders of that Province’s privacy commission can be appealed to the Québec Superior Court.

New Developments

Finally, Canadian courts are developing law in relation to the tort of intrusion upon seclusion. Canadian courts have followed the approach that has been developed in the United States, and formulated this tort as follows:

One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his [or her] privacy, if the invasion would be highly offensive to a reasonable person.

This test includes an objective standard such that the invasion of privacy must be “highly offensive” to a “reasonable person”. The court also acknowledged that the protection of privacy may give rise to competing claims, such as freedom of expression, which may trump privacy rights.

EKB’s Privacy and Employment law team is knowledgeable and experienced in these areas.

This article is based upon a presentation given by Peter J. Brown at a recent Globalaw Annual Members Meeting in Charlotte, North Carolina.