(July 2007)

On July 25, 2007, CIPPIC asked the Privacy Commissioner to investigate and report on's compliance with PIPEDA, and in so doing to clarify legal requirements for notice and consent in situations involving outsourcing of core business operations to a US-based company. In early 2007, notified its email customers that it had outsourced its email service operations to US-based Velocity Services Inc. This raised concerns among some customers about the consequent increased risk of surreptitious US government access to the email communications of subscribers. CIPPIC asked the Privacy Commissioner to investigate and report on whether Canadian subscribers of email services receive a "comparable level of protection" of their personal data from US-based providers as compared to Canadian providers.

In a letter dated August 7, 2008, the OPC concluded that CIPPIC's complaints were not well-founded since "the risk of a US-based service provider being ordered to disclose personal information to US authorities is not a risk unique to US organizations", and since had provided adequate notice of its outsourcing and had ensured that all customers consented to it. In so finding, the OPC reiterated its position:

  1. "that the sharing of information with a third-party service provider constitutes a "use" for the purposes of the Act, and that an individual's consent must be obtained fro the uses of her or his personal information"; and that
  2. "organizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such service provider to the country's government or agencies."