Companies should review their cross-border data-transfer agreements in light of both the privacy commissioner’s guidance and the recent decision of the Court of Justice of the European Union invalidating the EU-US Privacy Shield Framework.
The Office of the Privacy Commissioner of Canada recently issued a report resolving a complaint against TD Canada Trust. The complaint by a former employee alleged that TD failed to satisfy the provisions of Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) by using a third party to process customer data in India without proper notice to the customers.1 According to the complaint, TD was required to obtain the customers’ consent before transmitting their personal data to India and allow customers to opt-out of the foreign transfer
The privacy commissioner found the complaint wasn’t well founded based largely on the provisions in TD’s contract with the processor, which satisfied the provisions of both PIPEDA and the privacy commissioner’s guidelines for processing personal data across borders.2 The commissioner concluded TD was appropriately transparent to customers about its outsourcing practices and remained accountable for handling customer data through its contract with the third-party processor.
In reaching its conclusion, the privacy commissioner emphasized that several clauses in the contract between TD and the processor maintained TD’s accountability for the overseas transfer. In particular, the highlighted provisions ensured the transferred data would be treated by the overseas processor with the same level of protection that would be required in Canada under PIPEDA:
- Risk assessment prior to entering the contract. TD completed a thorough assessment of the risk of data transfer and committed sufficient resources to mitigate the risk.
- Employee background assessment and monitoring. TD included a number of contractual provisions requiring the process to conduct recurring background checks of all employees handling TD customer data and remove access to TD systems for any employee who failed any aspect of the background verification.
- Employee policies and training. The contract requires the processor to develop and maintain procedures to prevent copying TD customer data and ensure the data isn’t stored in India and train its employees in TD’s information-security practices.
- Work environment controls. The contract specifies controls that must be implemented in physical workspaces, including a prohibition against personal electronic devices and the use of visual inspection of employees.
- Access and other cybersecurity-related controls. The processor is required to implement various system architecture measures to protect against unauthorized access to information.
- Proactive monitoring end enforcement of contractual obligations. The contract allows TD to proactively monitor and audit the processor to ensure contractual compliance.
The privacy commissioner’s report underscores the importance of drafting cross-border data-processing contracts that satisfy international privacy and security standards, whether transferring data across the US-Canada border or elsewhere abroad. The privacy commissioner’s guidance is reinforced by the July 2020 decision of the European Court of Justice invalidating the EU-US Privacy Shield Framework.3 The court’s decision placed data-protection provisions in private contracts at the heart of compliance with the European Union’s General Data Privacy Rule.
In light of these recent developments, companies should reassess their cross-border data-transfer agreements. Barclay Damon attorneys can assist by reviewing current agreements and implementing best practices and standard provisions for cross-border data-processing contracts.
Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2020-001, August 4, 2020
Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, January 2009
Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 (July 16, 2020)