Navigating ASP And SaaS Data Privacy Issues Across The U.S./Canada Border

The information age has given us the ability to connect with virtually every government and business around the globe. While there are obvious benefits, there are also tremendous privacy risks to all parties involved — from individuals to small businesses to global corporations. An increase in the number of data breaches across the globe, compounded by a high level of personal and business impact, has led governments in the U.S., Canada and other countries to the create or toughen their data privacy regulations.

In Canada, privacy acts have been enacted at the federal and provincial levels for public and private sector companies and for some specific industries. This, coupled with the fact that lines between federal and provincial jurisdiction over business activities are not clear, has created a broad level of confusion about what can and cannot be done in Canada when it comes to data privacy.

For several years, businesses around the world have been focusing on core competencies and outsourcing non-core functions. Now, applications service providers and software as a service solutions allow companies to offload functions like human resources, benefits administration, information technology and other shared-services. These tools enable companies to lower operating costs and focus on core business functions. They are safe, secure and cost-effective to implement, yet utilizing them across the U.S. and Canada border can be tricky.

Global business expansion and technology evolution have provided a means to reduce costs and let organizations concentrate on the most critical aspects of business. And while leveraging such opportunities introduces risks of exposing information and breaching one or more of the numerous privacy regulations, not doing so limits competitive growth potential.

U.S./Canada transborder data flow

The transborder flow of personal information was launched into the spotlight in 2003 when British Columbia’s Minister of Health proposed contracting health information services to a U.S.-based company. The heart of the concern was centered on the U.S. Patriot Act, which was introduced shortly after the events of Sept. 11, 2001 to provide the U.S. Government with greater ability to intercept and obstruct terrorist activities and communications. The Act requires U.S.-based companies to disclose information to authorities without notifying Canadian companies or individuals. Other countries, including Canada, have similar laws.

Understanding the laws and risks

To assist U.S. and Canadian companies to safely and effectively pursue cross-border ASP and SaaS solutions, the following points should be made clear:

• Private sector transfer of personal information from Canada to the U.S. is not a violation of Canadian federal law. The Personal Information Protection and Electronic Document Act (PIPEDA) is the federal private sector privacy law that provides for the transfer of personal information so long as the law’s requirements are met. This is further supported by the 2008 Privacy Commissioner’s report, Leading by Example, which states, “The Assistant Commissioner noted that PIPEDA cannot prevent covered organizations from outsourcing to foreign-based service providers. Nor can PIPEDA prevent foreign governments from compelling production of personal information controlled by organizations within their own jurisdiction and under their lawful authority. However, what the Act does demand is that the covered organization be transparent about its personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means.” ⁱ

• Government sector transfer of personal information from Canada to the U.S. is not a violation of Canadian federal law. Similar to the PIPEDA on the private side, Canada’s Privacy Act does not prohibit the international transfer of personal information so long as precautions are taken to provide appropriate protection and controls. The Treasury Board of Canada has no plans to restrict storing, accessing or disclosing personal information outside of Canada. ⁱⁱ •

The transfer of personal information from Canada to the U.S. by financial sector companies is not a violation of Canadian federal law. As with the Privacy Commissioner, the Office of the Superintendent of Financial Institutions approved such arrangements providing contractual obligations for protecting privacy were implemented following PIPEDA. ⁱⁱⁱ

• With a few exceptions, provincial laws permit the transfer of personal information from Canada to the U.S. British Columbia, Nova Scotia and Alberta have similar permissions on the storing, accessing and disclosing of public sector information by service providers outside of Canada. It should be noted that exceptions exist as the Minister can grant exemptions on a case-by-case basis.

Four tips to maximize value and minimize risk

Following are four key recommendations for companies that want to use ASPs and SaaS solutions across the U.S./Canada border:

• Consult legal counsel for the latest in Canadian regulations at both the federal and provincial levels. The laws change and new laws can be enacted at any time; therefore it is critical to stay current.

• Review federal and provincial cases for rulings on efforts similar to what your organization is considering. Precedence may already be set which will reduce the level of effort required to make decisions.

• Utilize contracts and other legal means to provide a high level of information protection with ASPs and SaaS providers. Service providers are aware of privacy concerns and should be prepared to properly protect data regardless of country of origin.

• Be open about policies and practices relating to the management of personal information. Make users aware about data to be stored outside of Canada.

The Canadian government is managing its laws with the goal of providing businesses with opportunities to improve operations and expand across borders. In many cases, offloading data storage and management to ASPs or via SaaS across the U.S. and Canadian border can be done if it is done properly. The keys to success are preparation and knowledge.

David Black is the chief information security officer for Aon eSolutions.

i Leading by Example: Key Developments in the First Seven Years of PIPEDA, Page 12, paragraph 3, ( http://www.privcom.gc.ca/information/pub/lbe_080523_e.pdf)

ii Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows ( http://www.tbssct.gc.ca/pubs_pol/gospubs/TBM_128/pm-prp/pm-prp03-eng.asp)

iii PIPEDA Case Summary #2005-313,

( http://www.priv.gc.ca/cf-dc/2005/313_20051019_e.cfm