When data is transferred to a service provider, subsection 11(1) provides that the organization must provide this required level of protection „contractually or otherwise.“ Under PIPEDA, contracts have been the primary means by which transborder data transfers have been regulated, and it appears that the CPPA intends to be the primary means by which as well. It is not immediately clear what „or not“ might include. It should be noted that since 2009, in its Guidelines on the Cross-Border Processing of Personal Data, suprafootnote 16, the Office of the Data Protection Commissioner has used the terms „processor“ and „processing“ to describe activities related to the cross-border transfer of data for processing. Bill C-11 uses different wording. This may be partly because the government is trying to point out that the scope of PIPEDA`s commitment to Bill C-11 has changed – that not only transfers for processing of the type covered by PIPEDA are covered by Bill C-11, but also a much broader range of data-related services. This is supported by paragraph 62(2)(d) of Bill C-11, ibid., which refers to organizations that make international transfers or disclosures of data. The report referred to a complaint filed by a former FI employee alleging that FI did not obtain consent to transfer personal data related to outsourcing certain aspects of its fraud handling services to a third party service provider based in India or failed to allow customers to opt out. The complaint also alleged that FI had not been sufficiently open about its outsourcing practices. Nothing in the CPPA is specific about what „or not“ in subsection 11(1) might mean. The CPPA should be amended to make it clear that the provisions of the codes of conduct and the certification scheme can be used to ensure „substantially the same level of protection of personal data“ with respect to transborder data flows. In addition, the law should include options that meet the reference to „or otherwise“, such as binding corporate rules or systems.
Although Schrems II deals with a transfer of data to the USA, the standards set out therein apply to data transfers to all countries outside the EU. Footnote 33 The Court emphasised that in the absence of an adequacy decision, it is for the parties to the data transfer to assess whether the SCC safeguards or binding corporate rules can be complied with, whether additional measures are necessary and whether, even in the case of complementary measures, personal data can be adequately protected. Footnote 34 If this is not possible, the transfer cannot take place. Convention 108+ is an interesting and important international agreement on data protection to which Canada should accede. Footnote 65 Convention 108+ addresses, among other things, cross-border data transfers. A provision in Convention 108+ on this subject is not addressed in the CPPA at all. These are demonstrable accountability and specific recourse requirements: Subsection 14(6) states: Like PIPEDA and the APA, New Zealand`s Data Protection ActFootnote 77 (NZPA) is organized around the collection, use and disclosure of personal data. However, § 11 NZPA mentions specific circumstances in which data is transferred from one organisation to another without this constituting a „disclosure“. Footnote 78 In particular, if the recipient holds data as an authorized representative of the transferor (e.g., for secure storage or processing), the data is considered the property of the transferor and not the recipient.
Footnote 79 In these circumstances, neither the flow of data from the assignor to the recipient nor vice versa is considered use or disclosure. Footnote 80 The New Zealand Data Protection Commissioner has described this provision as applying, for example, to a cloud storage service provider Footnote 81 or in cases where data is outsourced for processing. Footnote 82 However, if the recipient uses or discloses the personal data for its own purposes, the data is deemed to have been disclosed by the New Zealand entity. A cabinet document states, „Once the information has been disclosed abroad, it is outside the jurisdiction of the law.“ Footnote 83 As a result, a new data protection principle was introduced, obliging the New Zealand organization to ensure that the data enjoys an acceptable level of protection in the country of transfer. The firm`s document states: „The new data protection principle will give authorities considerable flexibility in determining the steps they take to ensure acceptance of data protection standards in the countries concerned.“ Footnote 84 The full French version of recital 62(2)(d) reads as follows: „d) whether or not it makes transfers or disclosures of personal information interprovincial or international that may have a reasonably foreseeable impact on privacy.“ There are different approaches to protect personal data transferred for processing purposes. European Union member states have enacted laws prohibiting the transfer of personal data to another jurisdiction, unless the European Commission has determined that the other jurisdiction provides „adequate“ protection for personal data. The situation is different if the data have been transmitted in accordance with section 8.2. The Australian company is not liable if it has transferred data overseas on the „reasonable assumption“ that the offshore company is subject to a binding law or regulation that provides protection at least substantially similar to APPs. Compliance with Article 8.2 requires that mechanisms be in place to enable data subjects to assert their rights.