In December 2001, Canada achieved adequacy status under the 1995 Data Protection Directive for transfers from the EU to Canada of personal information subject to the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). Since that time, Canadian businesses could rely on this determination, and thus avoid other methods to guarantee legal transfers such as model contracts or binding corporate rules (BCRs).
PIPEDA is not an overarching data protection statute. Substantially similar provincial laws in BC, Quebec and Alberta govern private sector processing for much of the business sectors in those provinces. And PIPEDA only applies to the processing of personal data for commercial processing; so much of the non-profit sector, for instance, tends to fall between the cracks of the Canadian privacy regime. Also many employee records remain under provincial jurisdiction. Nevertheless, for the vast majority of companies that import personal data from the EU, PIPEDA is the relevant statute. And so PIPEDA’s “adequacy” remains the overwhelmingly relevant question.
There are now concerns about whether this state of affairs will continue under the new General Data Protection Regulation (GDPR). The question assumes a critical importance in the context of the new Canada-EU Comprehensive Economic and Trade Agreement (CETA). This agreement is expected to boost bilateral trade in goods and services, and presumably increase the volume of consumer and employee data that flows into Canada from the EU. CETA is expected to come into force in 2017 although Brexit has raised some questions about whether that timetable can be met.
Three main questions have arisen that puts the Canadian adequacy evaluation under some scrutiny. The first relates to access to European personal information by Canadian intelligence services, an issue that was never contemplated when the original adequacy regime was developed and implemented under the 1995 Directive. In 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the LIBE committee) called for a review of Canada’s privacy regime in the light of Canada’s participation in the Five Eyes Alliance. These are the same concerns, though on a far smaller scale, that motivated Max Schrem’s legal challenge to EU-US Safe Harbor, its invalidation by the European Court of Justice and the attempt to allay European concerns through the new EU-US Privacy Shield.
Early this year, it was reported that Canada’s Communications Security Establishment (CSE) had been sharing communications metadata on identifiable Canadians with the countries of the Five Eyes Alliance US, Canada, Britain, Australia and New Zealand. While it is illegal for CSE to capture personal data on Canadians, they may to track foreign individuals or groups. So European concerns about the activities of Canadian intelligence agencies are genuine.
These concerns also need to be considered in the light of the ‘assurances’ about US mass surveillance provided through the EU-US Privacy Shield, which claims: For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Presumably the EU will want to assess how the Privacy Shield is working, before taking on the issue of mass surveillance in any of the other Five-Eyes countries. If equivalent assurances are necessary from the Canadian intelligence services in the future, then so be it. It would also be appropriate for these questions of oversight and accountability to be raised during the impending reform of Canada’s Anti-terrorism Act, Bill C-51.
A second, and specifically Canadian question, relates to personal data transferred to Canada that is under the jurisdiction of one of the provinces that has its own private sector data protection law (Alberta, BC and Quebec). The Governor in Council has deemed these laws substantially similar to PIPEDA, and so the operating assumption has been that they are also adequate for the purposes of European law. It is now obvious that this assumption is incorrect.
The question about the adequacy of these provincial laws was brought to attention by the surprising decision in July 2014 about the continued adequacy of Quebec’s 1993 Act Respecting the Protection of Personal Information in the Private Sector, the first private sector data protection law anywhere in North America. In its decision, the Article 29 Working Party recommended that Commission not adopt a separate adequacy determination for Quebec until: the territorial scope of the legislation in relation to PIPEDA is clearly defined; transparency requirements concerning the identity and contact details of the data controller are clarified; there are clearer definitions of sensitive data; and there are stronger provisions for onward transfers of personal data.
The decision was widely critiqued in Canada and Quebec because it failed to really understand the complex nature of federal-provincial relations in Canada, and, as Eloise Gratton pointed out, overlooked that in some respects Quebec’s law actually provides stronger enforcement provisions than PIPEDA. The decision highlights the kind of confusion that can arise when assessments of adequacy focus too squarely on the black letter of the law, without sufficient understanding of the broader political culture and the constitutional framework. In the light of this decision, there remains a similar question mark over the adequacy of the Personal Information Protection Acts operating in British Columbia and Alberta.
The third, and perhaps most pressing, concern relates to the standard by which adequacy will be judged under the GDPR. We do not have any clear signals yet on this question. One obvious implication of the ECJ ruling in the Schrems case, however, is that an existing adequacy determination does not absolve a European DPA from investigating a complaint against a company residing in another jurisdiction. Adequacy is not, and probably never was, a get-out-of-jail-free-card. So Canadian companies are as vulnerable to challenge as any others.
It is clear from the GDPR that adequacy decisions will not last indefinitely, although existing adequacy determinations will remain in force until they are amended, replaced or repealed by the Commission in accordance with the new rules. It envisages a mechanism for periodic review at least every four years — so presumably we can expect a review of the Canadian assessment by 2020. The Commission has stated that when assessing adequacy the Commission shall take into account all relevant legislation, professional rules, case-law, security measures and so on. It shall consider the existence and effective functioning of one or more supervisory authorities, as well as any international commitments. The assessment criteria have also been widened to explicitly include the rules for onward transfer, public security, criminal law and access by public authorities to personal data.
What is still unclear is what components of the GDPR are considered essential. Under the Directive, the framework for the test became fairly standardized. There needed to be evidence that the basic content principles were present in law: purpose limitation; data quality and proportionality; transparency; security; rights of access, rectification and opposition; and restriction of onward transfers. Article 29 also looked for adequate procedural/enforcement mechanisms that promoted a good level of compliance, provided help and support to data subjects, and offered appropriate redress when the rules are broken.
But there are some new provisions in the GDPR, which did not appear in the Directive, on: data breach notification; the right to be forgotten; the right of data portability; privacy by design and by default. Should these also constitute a test for adequacy? Which are central “principles” of data protection, and which methods of enforcement and implementation? it would be very difficult to argue, for example, that the right to be forgotten, a principle that raises some profound constitutional implications for freedom of speech in Canada and the United States should be considered a sine qua non of adequate data protection.
Adequacy is, of course, not the only method to legitimate international personal data transfers. Articles 46 and 47 of the GDPR explicitly recognize transfers subject to binding corporate rules, standard data protection clauses, approved codes of conduct, or approved certification mechanisms. And Article 49 stipulates a number of derogations in specific situations.
There is no question that Canadian companies would really miss the safe harbor that is conferred, were the adequacy status to be removed. A recent news report, based on an internal memo obtained under FOI, indicated that Canadian government officials also have some concerns. There is even a question about whether the new Privacy Shield contains some tougher standards for international personal data transfers than operate under PIPEDA.
In the final analysis, however, I suspect that the adequacy determination process will retain its importance more as a political, than a legal, instrument. It has been a significant boost to the spread of the very idea of data protection around the world. So it may be politically difficult for the EU to withdraw adequacy status from Canada. That would send a message to those countries that have not applied, or who have never passed data protection legislation, that they need not bother. It would signal that the bar is simply too high.
That is not to say that PIPEDA does not require amendment; the Privacy Commissioner is currently conducting a consultation process on the entire consent regime. PIPEDA remains a controversial statute in Canada. So if the EU insists on some further requirements under the GDPR in order to continue to meet the adequacy test, then privacy advocates should welcome the increased European scrutiny and the potential for improvements to Canadian privacy law.
(This is an earlier version of an article that was published in Privacy Laws and Business International, August 2016)