As Canadians were getting ready to head off for a long-weekend, Canada and the U.S. released a Statement of Privacy Principles intended to govern sharing of information between the two countries in connection with the Canada-U.S. Security Perimeter agreement.
Canada and the U.S. have expressly declared that the Statement of Privacy Principles is non-binding and does not create any rights or obligations under domestic or international law. Accordingly, its utility appears to be limited to a guiding statement of intentions.
There are twelve principles. Three are particular worthy of noting:
- Permission for Onward Transfers to Third Countries. Information shared by Canada with the United States (or by the United States with Canada) may be shared with third countries. For example, data shared by Canada with the U.S. may be shared with a third country if onward sharing would be consistent with the domestic law of the United States and any sharing conforms to international agreements and arrangements between the United States and third countries. If there are no applicable international agreements, the originating country (in our example, Canada) is supposed to be notified of the information transfer.
- Redress. Canada and the United States are supposed to provide for remedies where a person’s privacy has been infringed by international sharing or where there has been a violation of data protection rules with respect to that individual.
- Individual Access and Rectification. Canada and the United States are supposed to provide individuals with access to personal information as well as the ability to seek rectification and/or expungement of their personal information. If access is to be limited, the country restricting access is supposed to provide specific grounds consistent with domestic law.