European Union: European Commission Affirms Protection Of Personal Data By Canada's Federal Privacy Framework As "Essentially Equivalent" To The EU

Recently, the Commission to the European Parliament and the Council (the "European Commission") affirmed that Canada's Personal Information and Protection of Electronic Documents Act ("PIPEDA") ensures an adequate level of protection for personal data transferred from the European Union ("EU").

A comprehensive review of data protection frameworks around the world

The European Commission published a report¹and Commission Staff Working Document² which outline the first review of adequacy decisions with respect to Canada, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay ("Review").

The Review concentrates on the current data protection frameworks of these eleven countries and territories. Additionally, it examines the regulations governing government access to data, particularly for purposes related to law enforcement and national security.

The Review explores the changes in legal frameworks, oversight mechanisms and enforcement systems since the adoption of adequacy decisions, some of which date back over 20 years, and marks the initial comprehensive assessment since these decisions were first made. In the Review, the European Commission adopted its adequacy decision on the adequate protection of personal data provided by PIPEDA in 2001 ("Adequacy Decision").

Data protection in the EU has developed with the adoption of the General Data Protection Regulation³ ("GDPR") in 2016 and further clarification through the case law of European courts and adjudicative authorities. Similarly, Canada's privacy framework has been modified over the years through legislative amendments, case law and guidance from the Office of the Privacy Commissioner of Canada ("OPC").

Further legislative reform is currently underway with the federal government introducing Bill C-27: Digital Charter Implementation Act, 2022⁴ ("Bill C-27") in June 2022. Bill C-27 anticipates replacing PIPEDA to further amend and modernize Canada's privacy law framework. The Review takes note of this forthcoming legislative reform, which may further strengthen privacy protections considered by the Adequacy Decision.

For more information of Bill C-27 please see Gowling WLG's summary: Bill C-27: Canada Reintroduces Sweeping Changes to Federal Privacy Law, Proposes New AI Legislation and Preparing for the Consumer Privacy Protection Act: Overview.

Canada's privacy framework continues to provide adequate protection

The Adequacy Decision recognizes that PIPEDA's privacy framework delivers a level of protection that is essentially equivalent to the EU one.

In the Review, the European Commission underscores that the data protection principles provided by PIPEDA, which closely align with EU data protection rules, have not changed since the Adequacy Decision was adopted. These principles include purpose limitation, purpose specification, data accuracy, data minimization, data retention, security, accountability and transparency. The Review addresses developments in PIPEDA's framework since the Adequacy Decision:

1. Legislative updates to PIPEDA, including adding conditions and exceptions for consent and a mandatory data breach notification, where there is a real risk of harm.
2. Decisions and guidance from the OPC, which clarify legislative requirements, such as the clarification of the definition of personal information and the requirement to notify of international transfer of personal data, among others.

The Review also considered how public organizations, governmental and public bodies may obtain personal information processed by organizations governed by PIPEDA. For instance, public authorities can access and use personal data for purposes related to criminal law enforcement and national security, or for other purposes in the public interest.

The Canadian legal framework is comprised of a number of sources which limit access and use by public authorities, including the Canadian Constitution (of which the Canadian Charter of Rights and Freedoms is a part), case law and legislation regulating access to data and data protection rules (e.g. federal Privacy Act⁵and equivalent provincial privacy legislation). Furthermore, the Canadian legal system provides oversight of public authorities, such as criminal law enforcement and national security agencies, and avenues for individuals to seek redress. Notably, the Privacy Act extended the right to access and correct personal information to all individuals, regardless of citizenship/nationality or place of residence.⁶

The European Commission concludes that PIPEDA continues to provide an adequate level of protection for the personal data transferred from the EU to organizations subject to PIPEDA. Data transfers from the EU to organizations governed by PIPEDA can continue without additional requirements. This finding marks a positive step forward in international data transfers.

Opportunities unexplored

While the Review acknowledges Canada's dedication to privacy and data protection, unfortunately it overlooks the substantial privacy reforms undertaken in Quebec. The Quebec Act to Modernize Legislative Provisions respecting the Protection of Personal Information⁷, as recently amended by the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information8("Law 25") came into force on September 22, 2022.

Law 25 introduced significant changes to privacy frameworks for businesses in Quebec, establishing itself as the most stringent privacy law in Canada. Notably, Law 25 encompasses the 10 information principles upon which PIPEDA is based and is considered substantially similar to PIPEDA. Further, Law 25 incorporates similar concepts found in GDPR including new rights for individuals such as the right to require cessation of dissemination or de-indexing and the right to data portability. Like GDPR, penalties for non-compliance with Law 25 are both severe and unprecedented in Canada.

The Adequacy Decision affirms that data transfers from the EU to organizations governed by PIPEDA can occur without additional requirements. It is important to note that the decision does not apply to data transfers from the EU to Quebec, though many organizations subject to Law 25 will also be subject to PIPEDA if they transfer data across Canadian borders or internationally. As data protection continues to be a global concern, the need for harmonization and recognition of regional nuances becomes crucial.

Takeaways

In this age of a digitized society and globalized economy, privacy is a top priority for commercial parties. For this reason, adequacy decisions are increasingly important in facilitating cooperation in the commercial context. These decisions facilitate the free flow of data within 30 economies within the EU and other jurisdictions around the world, and foster cooperation between like-minded foreign partners.

As stated in the Review, "the adoption of an adequacy decision is not an 'end point.'"⁹ It remains to be seen how Bill C-27 will strengthen data protection in Canada and lead to revised adequacy findings.

Footnotes

1. Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of the Directive 95/46/EC ("Report").

2. Commission Staff Working Document: Country reports on the functioning of the adequacy decisions adopted pursuant to Article 25(6) of the Directive 95/46/E ("Commission Staff Working Document").

3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("General Data Protection Regulation").

4. Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts ("Bill C-27").

5. Privacy Act, RSC 1985, c P-21.

6. Privacy Act Extension Order, No. 3, SOR/2021-174.

7. Act to Modernize Legislative Provisions respecting the Protection of Personal Information (CQLR, c. P-39.1) ("Private Sector Act").

8. Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (SQ 2021, c. 25).

9. Report at p. 14.