Terry McQuay

As a Canadian, ask yourself  these questions:

"Would you like your personal information reviewed by a U.S. law authority, say the FBI?"

"Would you like your purchasing habits, your medical information, your resume, accumulated and accessed by U.S. government agencies?"

If these questions make you feel uneasy, you are not alone. According to a survey, published in June 2005, and conducted by EKOS Research Associates on behalf of the Privacy Commissioner of Canada, 64 percent of Canadians have serious concerns about companies transferring their personal information to the U.S.

So, as a Canadian, ask yourself this question:

"Should an organization be obligated to tell you when your personal information is going to be transferred to the U.S.?"

Or go even further:

"Should an organization obtain your consent before transferring your information to the U.S.?"

If you answered yes, you are not alone. The same EKOS survey found that 73 percent of Canadians thought it was of high importance that organizations inform them prior to transferring their information to the U.S. But the highest percentage, 84 percent, wanted an organization to obtain their consent prior to transferring their information to a foreign country, including the U.S.

The Office of the Privacy Commissioner of Canada has stated repeatedly, at the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country. In fact, if you are an individual residing in British Columbia, Canadian or non-Canadian, you have legislative protection that the personal information you provide the BC government will not be accessible by U.S. law authorities. This law, a privacy law called Freedom of Information and Protection of Privacy Act ("FOIPPA"), extends to all BC government agencies and their third-party suppliers.

Business Risk
Businesses in Canada are looking at this issue seriously. Mainly because:

Companies that provide outsourcing services to a BC government agency, or in many cases any Canadian or provincial agency, must locate outsourced personal information in Canada and takes steps to ensure it cannot be compelled to release the information to the U.S. government authority;

Outsourcing firms that provide services to risk-averse industries, say banking and insurance, are receiving pressure from their customers to keep data in Canada;

All companies that transfer personal information to the U.S., either to their head office, to an affiliate, or through an outsourcing relationship, must answer the question: "What are our business risks related to transferring personal information to the U.S.?"

Some examples of the impact this issue has had on Nymity's customers include:

Moving data centers from U.S. locations to Canada;

Changing ownership of the Canadian subsidiary from U.S. to UK, such that U.S. officers could not compel the company to disclose information residing in Canada to U.S. authorities;

A U.S.-based firm not bidding on a contract, as it would be cost-prohibitive to move their data center to Canada, in keeping with contract requirements;

Winning a $14 million contract because their data center is in Canada;

Creating sales and marketing strategies to capitalize on the fact that they are a Canadian company and all information resides in Canada;

The Canadian subsidiary of a U.S.-owned company creating a datasheet to explain why the USA Patriot Act does not apply as their Canadian operations are completely independent and out of the reach of the U.S. head office;

Changing privacy policies in hopes that providing notice to consumers of their practices related to cross-border transfers of personal information will make them compliant with privacy laws in Canada;

Conducting audits of their service providers to ensure they are not using U.S.-linked sub-contractors;

Updating contracts with service providers; and

Updating customer contracts to provide notice of any cross-border transfers of personal information.

USA Patriot Act
Why are business risks increasing? The business risk associated with the transfer of personal information did not result from the EKOS survey or customer concerns. The risks are the direct result of the increased visibility and concerns related to the USA Patriot Act in Canada. The Act provides U.S. authorities unfettered access to any personal information held by U.S. firms, whether it is on U.S. citizens, Canadians, or ayone.

At first, the corporate concerns centered on compliance with privacy laws in Canada, mostly the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Canada's federal private-sector privacy legislation. PIPEDA governs all cross-border transfers of customer personal information by corporate Canada. Corporate Canada was concerned that the USA Patriot Act conflicted with the PIPEDA and their business practices could be found non-compliant with privacy laws in Canada. The question asked was:

"Does transferring personal information to the U.S. put our organization on the wrong side of privacy laws in Canada?"

The answer is not that straightforward. The answer, in pseudo-legal terms is, "It Depends." If you are subject to BC's privacy law, FOIPPA, then yes, your organization would be found non-compliant and potentially subject to large penalties. As for Canada's privacy law PIPEDA, it is unclear. Many experts believe there are exemption provisions in PIPEDA that would allow for disclosures to U.S. law authorities.
Should corporate Canada be concerned? Yes, as the liabilities go beyond the impact of non-compliance with privacy laws in Canada. The liabilities could include loss of contracts and reputations could be damaged from the unwanted media attention.

How does an organization mitigate risk associated with transferring personal information to the U.S.? Understand the risks, get legal advice, and as always, take direction from the regulators — the privacy commissioners in Canada.

Implementing Recommendations from the Privacy Commissioner of Canada
The Office of the Privacy Commissioner of Canada is the regulatory body that provides oversight for PIPEDA, the law that governs all customer personal information transferred to the U.S. by corporate Canada. In a paper from the federal privacy commissioner to a provincial privacy commissioner, the federal commissioner stated:

"At the very least, a company in Canada that outsources information processing in this way should notify its customers that the information may be available to the U.S. government or its agencies under a awful order made in that country."

This was considered by many organizations as instructive guidance on complying with PIPEDA.

One of Nymity's customers, a Canadian bank, implemented this recommendation and provided notice to their customers that their personal information will be transferred to the U.S., and thus subject to U.S. law authorities. The notice stated:

"I acknowledge that in the event that a Service Provider is located in the United States, my information may be processed and stored in the United States and that United States governments, courts or law enforcement or regulatory agencies may be able to obtain disclosure of my information through the laws of the United States....

I acknowledge and agree that the ... paragraphs above constitute prior written notice to me of, and my consent to the collection, use and disclosure of my personal information as described above...."
Implementing the commissioner's recommendations, quite ironically, found the bank subject to customer complaints and a commissioner's investigation. The complaints gained media attention, in fact, so much attention, that the complaints became public knowledge, and became one of the rare cases in which a company's name was associated with a complaint.

In October 2005, the commissioner's office published the finding related to the complaints, and it was no surprise that the bank that had followed the commissioner's recommendations was found to be compliant, and the complaints were therefore not well-founded. The finding stated:

"The bank took the appropriate step of being transparent about its practices of using a U.S.-based third-party service provider for processing and about the possible risk that customer personal information might be lawfully accessed by U.S. authorities."

So, at least from the commissioner's office perceptive, the bank was compliant with PIPEDA and now corporate Canada has further instructions on how to be onside with PIPEDA when transferring personal information to the US. In fact, the commissioner's office stated that the bank did not need to get consent, notice would have been sufficient, as the consent created the impression that a customer could opt-out of having their information transferred to the U.S.

What does the commissioner recommend? Obviously, comply with PIPEDA, which states:

"Principle 4.1.3 of Schedule 1 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.8 provides that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."
To comply, the finding states:

"What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means."

Simple enough, but will implementing these measures mitigate the risks associated with transferring customer information to the U.S.? Possibly, from a compliance with PIPEDA standpoint. But does providing notice result in different business risks?

Is providing notice reducing business risk or increasing risk? If you, as a Canadian consumer, had to make a choice between two organizations, all other things being equal, wouldn't you choose the organization that maintained the data "out of harm's way"of the U.S. authorities?

Providing notice seems to at least create more questions, but what about business risk? Clearly, in the bank's case above, the unwanted media attention had a cost, including an impact on its reputation. In speaking with the bank, they indicated that doing the right thing is most important, and if they had to do the same thing over again, they would. But, have we seen other financial institutions providing notice? Actually, yes, but often in less "noticeable" ways, like changing the organization's privacy policy.

Providing notice about the transfer of personal information across national borders complies with privacy laws. However, such notice may have business implications that should be identified and assessed. In light of the foregoing, organizations should methods of providing notice (re: transfers to the U.S.) that are most appropriate for them. For example, some organizations may choose to provide notice in their privacy policies (as prescribed by Nymity's National Privacy Policy Index), while other organizations may choose to provide notice by way of a flyers, brochures, contracts, or letters.

Terry McQuay is president of Nymity, Inc., based in Toronto, Ontario. Nymity provides research, education and support services for privacy professionals tasked with providing privacy expertise to corporations and not-for-profit organizations with operations in the U.S. and Canada. For more information visit McQuay can be reached at +416.214.7838 or by email at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»