Privacy Compliance: Cross-Border Data Transfers

Organizations must maintain compliance with privacy laws in Canada for personal information collected, used, stored or transferred into Canada or outside of Canada either directly or through an outsourcing relationship. The complexities related to transferring data across the Canadian border is the number one area of concern based on Nymity's research. There are 23 privacy laws in Canada, and in some jurisdictions it is virtually illegal to transfer personal information outside of Canada and in others jurisdictions organizations need to ensure that proper notice is provided to the individuals and that the organization implements adequate safeguards to ensure the personal information is not accessed inappropriately. Adequate safeguards could be complex as it could mean the same levels of safeguards as in Canada, but it could mean increased levels of safeguards depending on where the personal information will reside.

Cross-Border Issues

Organizations are more likely to need privacy counsel related to cross-border issues at the following times:

• when transferring data to new jurisdictions; outsourcing a significant function; or during a merger or acquisition;
• when conducting any monitoring of employees’ e-mail or Internet use in multiple jurisdictions;
• when establishing or consolidating any kind of global or regional HR database or database containing consumer information;
• when implementing a new website or on-line functionality in multiple jurisdictions;
• when responding to enforcement/litigation;
• when new legislation is introduced; or current legislation is amended, for example when new breach notification provisions are introduced.
  

Once an organization complies with domestic privacy laws, the organization is now subject to foreign privacy laws. International privacy compliance is full of legal complexities. Whether the data resides in the USA, Europe or in one of the over 33 countries with privacy laws, organizations must be compliance in all jurisdictions and ensure that a business practice in one location does not cause conflict in another. The old axiom of I will simply comply with the most restrictive provisions is too general and does not reflect the actual complexities of cross-border data transfers. To further complicates matters, today’s technology has made it easy for companies to collect, copy, and transfer personal data around the world.

With the introduction of a wide range of privacy and security laws in the USA and the EU, this “new” form of regulation has expanded to virtually all key business jurisdictions, imposing complex and often inconsistent privacy and data protection standards on multinational companies. Legal and business risks associated with non-compliance have grown significantly as well, from adverse public relations consequences when breaches occur, to the financial and human resource costs of addressing privacy-related complaints. Because of the volume of regulation and the numerous areas where privacy issues arise, successful development and implementation of privacy compliance solutions requires outside counsel with the experience necessary to provide practical, cost-effective solutions.

Also, data transferred into Canada would be subject to one or more of the 23 privacy laws in Canada. Although, transferring data to Canada could result in additional protections and be good for businesses that choose to operate in Canada, it still requires foreign organizations to be compliant.

---

Privacy Review: Cross-Border Legal Services Most organizations have a local law firm that that provides legal services on domestic issues. Baker & McKenzie provides domestic legal expertize as well. But for Canadian companies engaging in business practices that results in personal information being transferred outside of Canada, Baker & McKenzie has specialized services to meet these complex legal needs. Baker & McKenzie's focus on international issues has resulted in a team of privacy lawyers who understand the international issues resulting from conflict in international laws and nuances that result from cross-border transfers. The issues can arise based on a new business practice, or by simply outsourcing a current business practices to a service provider with international operations. Baker & McKenzie maintains extensive international online resources and precedent banks used by all members of Baker & McKenzie's global privacy team. Baker & McKenzie maintains an internal communications service to ensure all privacy lawyers stay informed on all emerging privacy issues and collectively produce corporate recommendations.
Laws impacting personal information go well beyond "privacy laws" and include labour and employment laws, consumer protection laws, and other local laws that impact organization collection, use, retention and disclosure of personal information. Baker & McKenzie has several legal practices that impact privacy, for example human resources laws and IT laws. As the privacy legal group participates in multiple legal practices they are able to advise their clients on a complete set of business practices. Baker & McKenzie service deliverables include the following: Factual reports about the company’s global privacy practices, and gap analysis and compliance recommendations HR privacy policies and procedures, and privacy provisions for HR handbooks as well as privacy provisions for local employment contracts Customer privacy policies and procedures, including those related to marketing Contracts to facilitate cross-border data transfers Data security policies as well as website privacy policies and related implementation guidelines E-mail and Internet monitoring policies and protocols Procedures for data subject access requests, data security breaches, and inquiries from data protection authorities and regulators. Similarly, organizations operating outside of Canada, now wanting to offer services to Canadians or use Canadian organizations in an outsourcing arrangement now will find themselves subject to one or more of the 23 privacy laws in Canada. Baker & McKenzie Canada has Canadian expertise for international organizations planning to operate in Canada. This expertise is provided to the foreign organizations in the context of their local legal regime thus allowing them to quickly understand if their current compliance requirements are sufficient for Canadian law. For example, Baker & McKenzie could provide an organization based in Germany, and compliant with German legislation, advice based on their existing knowledge of German laws. Privacy Handbook Baker & McKenzie's Global Privacy Handbook is a free publication that covers 33 countries and 16 topics. It provides a snapshot of core privacy laws, principles and concepts in many of the world's major business centres, and highlights some of the key privacy and information management issues that organizations frequently seek guidance on.

Next Steps

Learn more about Baker & McKenzie by visiting www.bakernet.com, downloading the Global Privacy Handbook, reviewing an Interview with Theo Ling or by contacting Theo Ling at:

Theo Ling Partner Phone: 416 865 6954 Email: theodore.c.ling@bakernet.com

Theo is currently the Chair of the Baker & McKenzie Global Privacy Steering Committee, and the editor of the IAPP endorsed Global Privacy Handbook.

He has provided strategic privacy advice to a diverse and wide range of industries and leading fortune 100 companies. Whether he is advising on tactical privacy advice from a multi-jurisdictional or global perspective, or providing counsel on a strictly local issue, Theo takes a pragmatic and practical approach to each assignment and brings to the table a varied range of practice and industry expertise, coupled with cutting edge advice and execution.

Clients attest to his knowledge and capabilities, and describe Theo as an objective thinker, with the ability to “see around the corner”, and as someone who navigates his clients with ease through even the most complex assignments.

Each and every client benefits from the collective global knowledge base and the experience of the Baker & McKenzie Global Privacy Practice Group. The group routinely meets and interacts regularly to share best practices, discuss trends in the marketplace, consider industry direction and to conduct internal training sessions and seminars to further their legal knowledge – the end result is lawyers who understand the legal requirements of the local jurisdiction, yet understand the ‘global picture’.

• Strategic Alliances
  • Research Contributors
  • IAPP
  • PrivaWorks Real Risk Study
  • USCIB
  • US Privacy Solution Reviews
  • Canadian Privacy Solution Reviews
    • Breach Management Services
    • Do-Not-Call
    • Cross Border Legal Services
    • Data Leakage Protection
    • Document Shredding Services
    • EHR Legal Services
    • PC Data Protection
    • Privacy Breach Insurance
    • Privacy Filters
    • Training Employees
  • Privacy by Design
  • The Future of Privacy
  • The Ponemon Institute
  • Carswell

• Free Privacy Maps
• Privacy Research Tools
• Visit Customer List