TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Canada Dashboard Digest | Notes from the IAPP Canada Managing Director, March 3, 2017 Related reading: Privacy inspection tool finds ad trackers on sensitive nonprofit websites




Most weeks, I try to review the stories that go into the Digest at the same time I write these introductory notes. The stories often inspire me to raise an issue or two. Sometimes, there’s a story that is suggested but I raise concerns with the IAPP editors because I think the story isn’t telling the full story or because it's missing something important.

This week, I am raising with them the fact that we are running an article that is, in the simplest terms, really awful (and wrong) in describing Canadian privacy law obligations. I want the article to stay in the Digest because it is a good example of what I encounter every day: Misconceptions about what can and cannot be done with trans-border data flows.

Here’s the snippet from the article: “'Company X' has launched a … solution designed to be compliant with Canada’s Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how organizations in the country collect, use and disclose personal information while doing business. In order to be compliant with these privacy regulations, all data collected by both public and private organizations must be stored within Canadian borders.”

I’ve said it once, and I’ll say it again: Our laws do not say this. And no one with any real knowledge or authority has ever said so. It’s clearly one of the worst things to come from the fact that in British Columbia and in Nova Scotia they passed laws that restrict the international movement of personal information that is under the control of a public body.

But, folks, that’s it, that's all. The Privacy Act and PIPEDA both allow the cross-border flow of data. The catch is that it must be done properly. Notice and safeguards, plus accountability. You can't outsource that. To be sure, it’s sometimes complicated to do it properly, but it can be done (and, in my opinion, there are often good reasons for moving information across borders). The article I’ve quoted is plainly wrong, so read it with a grain of salt and do your part as a privacy professional to ensure these misconceptions don't travel further. 


If you want to comment on this post, you need to login.