Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

September 17, 2020

Privacy Commissioner of Canada Outlines Best Practices for PIPEDA-Compliant Cross-Border Data-Processing Contracts

Companies should review their cross-border data-transfer agreements in light of both the privacy commissioner’s guidance and the recent decision of the Court of Justice of the European Union invalidating the EU-US Privacy Shield Framework.

The Office of the Privacy Commissioner of Canada recently issued a report resolving a complaint against TD Canada Trust. The complaint by a former employee alleged that TD failed to satisfy the provisions of Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) by using a third party to process customer data in India without proper notice to the customers.1 According to the complaint, TD was required to obtain the customers’ consent before transmitting their personal data to India and allow customers to opt-out of the foreign transfer

The privacy commissioner found the complaint wasn’t well founded based largely on the provisions in TD’s contract with the processor, which satisfied the provisions of both PIPEDA and the privacy commissioner’s guidelines for processing personal data across borders.2  The commissioner concluded TD was appropriately transparent to customers about its outsourcing practices and remained accountable for handling customer data through its contract with the third-party processor.

In reaching its conclusion, the privacy commissioner emphasized that several clauses in the contract between TD and the processor maintained TD’s accountability for the overseas transfer. In particular, the highlighted provisions ensured the transferred data would be treated by the overseas processor with the same level of protection that would be required in Canada under PIPEDA:

  • Risk assessment prior to entering the contract. TD completed a thorough assessment of the risk of data transfer and committed sufficient resources to mitigate the risk.
  • Employee background assessment and monitoring. TD included a number of contractual provisions requiring the process to conduct recurring background checks of all employees handling TD customer data and remove access to TD systems for any employee who failed any aspect of the background verification. 
  • Employee policies and training. The contract requires the processor to develop and maintain procedures to prevent copying TD customer data and ensure the data isn’t stored in India and train its employees in TD’s information-security practices.
  • Work environment controls. The contract specifies controls that must be implemented in physical workspaces, including a prohibition against personal electronic devices and the use of visual inspection of employees.
  • Access and other cybersecurity-related controls. The processor is required to implement various system architecture measures to protect against unauthorized access to information.
  • Proactive monitoring end enforcement of contractual obligations. The contract allows TD to proactively monitor and audit the processor to ensure contractual compliance. 

The privacy commissioner’s report underscores the importance of drafting cross-border data-processing contracts that satisfy international privacy and security standards, whether transferring data across the US-Canada border or elsewhere abroad. The privacy commissioner’s guidance is reinforced by the July 2020 decision of the European Court of Justice invalidating the EU-US Privacy Shield Framework.3 The court’s decision placed data-protection provisions in private contracts at the heart of compliance with the European Union’s General Data Privacy Rule.

In light of these recent developments, companies should reassess their cross-border data-transfer agreements. Barclay Damon attorneys can assist by reviewing current agreements and implementing best practices and standard provisions for cross-border data-processing contracts.

1 Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2020-001, August 4, 2020  

2 Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, January 2009

3 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 (July 16, 2020)

Featured Media

Alerts

Fourth Department Finds Language in 1980 Statute Is Gender Neutral for Purposes of Child Victims Act

Alerts

Priority of Federal Tax Lien on Personal Property: Secured Lender vs. IRS

Alerts

COVID-19 Business Interruption Update: New York High Court Affirms in Favor of Insurer

Alerts

USFWS Introduces General Permit for Bald and Golden Eagle Incidental Take

Alerts

ORES Executive Director Issues First Denial of Section 94-C Permit Application Following Applicant's Partial Loss of Site Control

Alerts

New Details About OPWDD Spending in the New York State FY 2025 Executive Budget

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out