Introduction
For the first time in 23 years, the European Commission (Commission) has reviewed its adequacy decision relating to privacy in Canada and concluded that Canada continues to provide adequate protection for personal data transferred from the European Union[1] (EU) to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
This decision confirms that personal data can flow from the EU to Canada in this regard without additional safeguards being necessary, affirms the strength of Canada’s current privacy framework, and provides further recommendations for Canada to consider in light of the current legislative reform of PIPEDA.
Background
The General Data Protection Regulation (GDPR)
The GDPR entered into force on May 25, 2018. It harmonizes national data privacy laws throughout the EU and strengthens personal data protection for EU residents. It applies to entities handling EU residents’ personal data, including entities outside of the EU, if they offer goods or services to EU residents or monitor the behaviour of EU residents.
Adequacy Decisions
Under article 45 of Regulation (EU) 2016/679, the Commission has the power to determine whether a country outside the EU offers “an adequate level of data protection”.
Adequacy status: Adequacy status is important because it allows for a seamless exchange of personal data between the EU and a country outside of the EU and opens doors for organizations to do business with those in Europe. Losing the adequacy status would make it more difficult to do business.
Determining adequacy: Determining adequacy involves a proposal from the Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries and the adoption of the decision by the Commission.[2]
Countries that provide “adequate protection”: In addition to Canada (commercial organizations), the European Commission has recognized a number of other countries such as United States (commercial organizations), Japan, New Zealand, Switzerland, Israel and Argentina as providing “adequate protection”.[3]
2024 Review
With the adoption of the GDPR, the Commission is required to review the adequacy decisions adopted every four years and must report the findings to the EU Parliament and Council.
On January 15, 2024 the Commission published its report on the first review (Report). In it, the Commission reviewed 11 countries and territories’ existing adequacy decisions. The Commission concluded that all 11 adequacy decisions, including of Canada, remain in place and personal data can continue to flow without additional safeguards.
Canada
PIPEDA was first recognized as providing adequate protection in 2001.[4] In the 2024 Report, the Commission welcomed the legal developments in data protection since then.
The Commission made note of PIPEDA and its amendments, and the further clarity on data protection requirements provided through jurisprudence and the Office of the Privacy Commissioner’s guidance.
To enhance legal certainty and to unify requirements, the Commission recommends that Canada codify “some of the protections that have been developed at sub-legislative level in legislation”[5]. The Commission notes that the current PIPEDA legislative reform could provide the opportunity to strengthen the privacy framework.
This decision is positive news for Canadian organizations subject to PIPEDA. Despite significant gaps between PIPEDA and the GDPR (e.g. in terms of individual rights and enforcement powers), the Commission still considers Canada to offer an adequate level of data protection. It remains to be seen what impact this review will have on the current legislative reform of PIPEDA.
The information and comments herein are for the general information of the reader and are not intended as advice or opinion to be relied upon in relation to any particular circumstances. For particular application of the law to specific situations, the reader should seek professional advice.
[1] Inclusive of Norway, Liechtenstein and Iceland.
[2] EU Commission, “Adequacy decisions: How the EU determines if a non-EU country has an adequate level of protection.”
[3] Ibid. These decisions do not cover data exchanges in the law enforcement sector.
[4] Government of Canada, “The European Union’s General Data Protection Regulation”, (November 8, 2023).