On January 27th, the federal Privacy Commissioner released a document entitled “Guidelines for Processing Personal Data Across Borders.” The guidelines reflect the OPC’s pragmatic approach to the issue, but seem to put slightly greater emphasis than in prior commentary on the need for organizations to examine local and polictical factors in their due dilligence process:
In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.
The Guideline is available here.