Case Report – Federal OPC dimisses complaint about cross-border personal information transfer

On August 7th, the Office of the Federal Privacy Commissioner of Canada issued a report dismissing a PIPEDA outsourcing complaint filed by Philippa Lawson of the Canadian Internet Policy an Public Interest Clinic.

The report echoes the position the OPC established in Case Summary 313 and Case Summary 333 – that is, that the transfer of personal information into the United States does not necessarily breach the safeguarding requirement in PIPEDA because it exposes the information to the dictates of United States law, but that notification is required given the principle of openness. The OPC does give a little more detail on the required standard of notification in this report than it has done in the past:

Finally, organizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such service provider to the country’s government or agencies. In this respect, CanWest respected its obligation by reliably informing its subscribers, new and existing, of its arrangement with a new U.S.-based e-mail provider and of the potential impact on confidentiality of subscriber information. Consequently, Principle 4.1.3 was not contravened.

The report has been posted on CIPPIC’s website. Hat tip to Michael Geist.