Historically, there are two ways you can do this. You can do it the way that is included in PIPEDA, which is to put the onus on the organization to ensure that, when data is transferred anywhere to a service provider, whether that is in Canada or elsewhere, the same legal protections apply. The problem with that approach is that it relies on contract or other business-to-business agreements, and the individual tends to be excluded from that arrangement.
The other approach is to do what the Europeans have done over the years, which is a legal test, a jurisdiction-to-jurisdiction approach, which is to say, “These are the countries around the world to which personal data might be safely transferred.” The disadvantage with that is that it's a lengthy approach. It's highly legalistic. At the end of the day, it doesn't do a lot to ensure that the data is protected on the ground.
The short answer to your question is that it's complex. As I said, I think the approach that says that when a business is transferring data to a service provider, whether that's in Canada or offshore, it has to do an assessment, not only an assessment of what the company is doing but also an assessment of the legal and political environment.... For economic reasons, our businesses transfer personal data on Canadians to countries around the world that do not have proper privacy protection and, in some cases, have questionable human rights records. I think Canadians would be pretty annoyed about that if they knew it was happening.
A business should have to assess that. This is essentially what the Quebec law says. Do a privacy impact assessment—actually, broader than a privacy impact assessment—and be ready to demonstrate accountability for that data if and when a regulator comes calling.
That would be the compromise approach that I would suggest, but, at the moment, a business looks at this bill and says, “I want to transfer that data overseas. I want that data to be processed overseas. What do I have to do?” It's not clear. There's nothing there. Most legislation, as I said, has a section on international data transfers, and I think that would be something I would strongly advise.