Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Published byJeremy Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,"— Presentation transcript:

1 1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19, 2011

2 2 Canadian Privacy Laws Federal – PIPEDA (Personal Information Protection and Electronic Documents Act) – Applies where there is no provincial law Quebec Alberta British Columbia

3 3 Ten Basic Privacy Principles – when personal data is under control of a Canadian Entity 1.Accountability 2.Identifying Purpose 3.Consent 4.Limiting Collection 5.Limiting Use, Disclosure & Retention 6.Accuracy 7.Safeguards 8.Openness 9.Individual Access 10.Challenging Compliance

4 4 Best Practices When bidding on a Canadian RFP involving data processing and storage, review the bid’s terms and be ready to explain where data will be stored and processed Special legislation applies when contracting with certain provincial governments or municipalities If a Canadian corporate affiliate transfers data to the U.S., the Canadian company will remain responsible for the integrity of the data Personal data of U.S. data subjects stored in Canada will be subject to Canadian data protection legislation

5 5 Obligations of a Canadian organization when transferring personal data to the United States Accountability Safeguards Openness

6 6 Typical Cross Border Scenarios Storage of data on servers in USA – e.g. SAP installation Email service provider has no Canadian data centre SPAM service provider located in USA Email run through USA Data processed in USA Bidding on government work, issue in British Columbia and Nova Scotia

7 7 Risk Levels Non-APEC or non-OECD member countries United States European Union

8 8 Issues for Canadian Companies when transferring personal data to the United States USA Patriot Act Section 215 allows FBI to access records held in USA by applying for an order of the Foreign Intelligence Surveillance Act Court Company subject to a Section 215 order cannot reveal that the FBI has sought or obtained information from it U.S. has Safe Harbor accord with EU (2000) All companies not covered because U.S. sector specific laws and some U.S. States have enacted laws – not universal

9 9 Rulings Concerning Canada-USA Cross-Border Data Transfers

10 10 British Columbia BCGEU v. The Minister of Health Services and Maximus U.S. Company, Maximus, selected by B.C. Ministry of Health Services for administration of B.C.’s public health insurance program Union files complaint under public sector privacy legislation Personal health information of B.C. residents accessible to U.S. authorities under USA Patriot Act

11 11 British Columbia (cont’d) Act amended to require a public body to ensure that personal data under its control is stored only in Canada and accessed only in Canada (with certain exceptions) New requirement to report any foreign demand for disclosure to Minister

12 12 Alberta Outsourcing email services to Google University of Alberta spends a year investigating the possibility of a single campus email system using Google’s Gmail Users of University email system must be informed that their emails will reside in a foreign jurisdiction and be subject to the laws of that jurisdiction such as USA Patriot Act U of A agrees to inform students and employees it cannot guarantee protection against disclosure of emails residing in U.S.

13 13 Use of Service Provider in USA – Ruling 313 VISA credit card information to be processed in U.S. Canadian customer data stored on U.S. based software system VISA cardholder agreement amended No opt-out U.S. authorities may access the data

14 14 Ruling 313 Ruling Bank had contract with U.S. data processor to maintain comparable level of security and protection Bank appropriately notified customers

15 15 Security System Provider Shares Customer Data – Ruling 333 Security system company tells Canadian customers of intention to share customer contact information with U.S. parent company If catastrophic event overwhelms Canadian customer monitoring centre, alarm signals routed to other North American monitoring centre Sharing of customer address, phone, emergency contacts No sharing of financial or credit data

16 16 Ruling 333 (cont’d) Customers could opt out and get reduced level of service Ruling: Customer consent not required, not a disclosure Personal data being used for same original purpose Company was transparent and provided sufficient information about practices Parent company must adhere to same level of data protection

17 17 Outsourcing – Ruling 394 canada.com” outsourcing e-mail services to U.S. based company Customers requested to consent as condition of on-going services USA Patriot Act issues

18 18 Ruling 394 (cont’d) Ruling – Sharing with a third-party subcontractor is a “use” not a “disclosure” – Consent is required to the use – Best practice is to notify – Must take contractual measures to ensure security oversight monitoring auditing – Should provide notice that foreign-based service provider will be subject to foreign laws, which may be different than Canadian law

19 19 Federal Privacy Commissioner Guidelines PIPEDA does not distinguish between domestic and international transfers of data An organization is responsible for personal information in its possession, including information that has been transferred to a U.S. third party for processing Where information is transferred for processing, it can only be used for the purposes for which the information was originally collected; for example, internet service provider transfers personal information to third party to ensure technical support is available 24/7

20 20 Federal Privacy Commissioner Guidelines Comparable level of protection means that the third party processor must provide protection that can be compared to the level of protection the data would have received if it had not been transferred Primary means to protect personal information is through contract

21 21 Best Practices A Canadian company doing business with a U.S. parent, subsidiary, customer, vendor or supplier that involves transfer of personal data about Canadians will: want to be satisfied that the U.S. third party has policies and processes in place, including training and effective security measures, to ensure the data in its care is properly safeguarded in accordance with Canadian law set out requirements for safeguards in written contract retain the right to audit and inspect the U.S. company and its practices assess risk when transferring outside of Canada

22 22 Best Practices (cont’d) will want to make it clear to individuals that their information may be processed in a foreign country and it may be accessible to law enforcement and national security authorities ideally, will provide this notice at the time the information is collected Generally, a Canadian company will pay attention to the legal requirements of the jurisdiction in which the third party processor operates as well as the potential foreign, political, economic and social conditions and events that may reduce the service provider’s ability to provide the service

Download ppt "1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,"

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Data Protection Law In India iPleaders and Intelligent Legal Risk management LLP.

Data Protection Law In India iPleaders and Intelligent Legal Risk management LLP.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
Cross-Border Privacy Issues and the USA Patriot Act Presentation for INSIGHT Montréal December 7-8, 2005 Charles Morgan 3662864.

Cross-Border Privacy Issues and the USA Patriot Act Presentation for INSIGHT Montréal December 7-8, 2005 Charles Morgan
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.

Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.

1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Similar presentations

Ads by Google