We might call it “compliance jurisdiction creep.” Many businesses engage multiple jurisdictions when they do business. The Internet means that they may be domiciled in one country with service providers, data processors and customers in other countries. But as these organizations enter into relationships with entities domiciled, or with relevant operations, in other jurisdictions, the number of laws that may become applicable to the organization’s operations may also multiply. In this post, we will examine a few of the ways in which organizations may become subject to foreign laws relating to data protection and data production.
Minimum Contacts and Substantial Connections
All organizations should monitor the extent of their contacts and connections with other countries when considering what laws should govern their compliance obligations.
Many legal systems extend the reach of data protection laws (and other laws) through concepts such as minimum contacts or substantial connections. An example of this was discussed in Dennis Holmes’ Privacy Tracker post on Australia’s recent amendments to its Privacy Principles. Under the Australia Privacy Amendment (Enhancing Privacy Protection) Act of 2012, an organization “carrying on business” in Australia must comply with the Australian Privacy Principles. As Holmes’ writes, this will include foreign organizations with an extensive online presence even if that entity has no physical presence in Australia.
Other examples abound. In the U.S., many state breach notification laws apply to foreign organizations even if they are not domiciled in the state or anywhere in the United States, provided that the organization “conducts business” in the state. In Europe, amendments are being considered that would require foreign data controllers to comply with EU privacy rules if they offer goods or services to data subjects in the EU or are engaged in data analytics or behavioral advertising of EU residents.
Similarly, in Canada, there are a number of judicial and regulatory decisions establishing extraterritorial jurisdiction over organizations that have a substantial connection with Canada. For example, the Office of the Privacy Commissioner has held that a European airline was subject to Canadian privacy laws even though it was headquartered in Europe. The airline said it was governed by and complied with EU privacy rules and was not subject to the obligations under Canada’s Personal Information Protection and Electronic Documents Act. The Office of the Privacy Commissioner disagreed. The airline offered services to Canadian passengers and flew to and from Canada with employees at several Canadian airports.
Power and Control Matters
Contacts and connections are obvious ways to become subject to foreign laws. But they aren’t the only ways. An organization may also find that its data is subject to the laws of another jurisdiction because a party in that jurisdiction has or shares control over the organization’s data.
For example, many legal systems contain provisions that enable governments and private litigants to compel the production of records that are within the “power” or “control” of a party even if the records are not within the territorial jurisdiction of the court or regulatory authority seeking to compel production. When dealing with data, therefore, it is important to consider not only where the data will reside but who will have power or control to access that data. In other words, just because data is stored outside of a country doesn’t necessarily mean the regulators of that country won’t have access to it.
This principle was recently illustrated in A Certain E-Mail Account Controlled and Maintained by Microsoft Corporation (In re), 2014 WL 1661004 (SDNY), unless it is overturned on appeal. This case involved a search warrant issued under the U.S. Stored Communications Act (SCA), authorizing the search and seizure of information stored in an e-mail service provided by Microsoft. Microsoft fought the warrant on the basis that U.S. federal courts do not have the authority to issue warrants for the search and seizure of property outside of the U.S. The data for the e-mail account in issue was stored on servers in Ireland.
Judge Francis concluded that the search warrant provisions in the SCA were similar to a subpoena. It is well established that if a party that is subject to a subpoena has control over data in another jurisdiction, the party can be compelled by subpoena to produce it notwithstanding that data is not in the possession or custody of the party. Although the test for a warrant was higher under the SCA than for a subpoena, the court concluded that “it does not alter the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.”
But Location Still Matters for Conflict of Laws
Far reaching data production laws based on production and control may place third parties into conflict with the laws of the jurisdiction in which the data is stored. So, location still matters.
In Canada, the provinces of British Columbia and Nova Scotia have blocking legislation to prevent personal information in the public sector from being transferred outside of Canada, subject to limited exceptions. For example, in Nova Scotia, the Personal Information International Disclosure Protection Act requires that a service provider to a public sector body ensure personal information in its custody or under its control is stored only in Canada and accessed only in Canada.
Two other Canadian laws are less well-known, but may apply in some cases. Ontario and Quebec each have business records protection legislation. This legislation operates to prevent businesses in Ontario and Quebec from responding to foreign summonses and production orders if responding would involve sending business records stored in those provinces to another country. The purpose of the legislation is to require the party seeking the production to bring an application for a recognition order in Ontario or Quebec, depending on where the records are located. There are, however, a number of exceptions. One important exception is where the transfer is consistent with and forms part of a regular practice of furnishing to a head office or parent company or organization outside Ontario material relating to a branch or subsidiary company or organization carrying on business in Ontario.
Choice of Law
Another way an organization can become subject to the laws of another jurisdiction is by contractually agreeing to be bound by those laws. Typically, this will be done expressly. However, care must be taken with boilerplate choice of law provisions, particularly when combined with obligations to comply with all applicable law.
Although not in the data privacy context, the Ontario case of Landsbridge Auto Corp. v. Midas Canada Inc., 2010 ONCA 478, illustrates the issue. In that case, the parties stated that the franchise agreement “including all matters relating to the validity, construction, performance and enforcement thereof, shall be governed by the laws of the Province of Ontario.” The Court of Appeal concluded that this choice of law clause imported the substantive law governing Ontario franchise agreements even though the franchise was not operated in Ontario. This law applied in addition to the rights of the franchisee found under the local law outside of Ontario.
In our modern, interconnected global economy, being compliant with one’s “home” jurisdiction is not sufficient. It is equally important to consider whether an organization has through its deliberate activities or its relationships with other organizations become subject to the laws of foreign states.