EU confirms PIPEDA’s adequacy status under the GDPR
In a Report issued two weeks ago,[1] the European Commission advised that its 2001 decision granting the federal privacy law, PIPEDA,[2] “adequacy” status under relevant EU privacy law is continued and confirmed. The 2001 decision determined that PIPEDA provided an adequate level of protection for personal data transferred from the EU to Canada, as required by the EU’s then in-force “Data Protection Directive”.[3] The EU’s current law, the General Data Protection Regulation (GDPR), requires the Commission to periodically review these decisions, every four years, in order to determine whether the countries and territories that received an adequacy finding continue to provide an adequate level of protection for personal data.
The updated determination means that personal information collected in the EU may continue to be transferred to Canada, whether for processing by service providers or for disclosure to Canadian entities for their own purposes, as it has since the 2001 ruling, without additional protective measures. By contrast, the US, having no nation-wide privacy law, does not benefit from adequacy status. Therefore, organizations looking to transfer data between the EU and the US must resort to special measures such as standard contractual clauses or certification under the recently adopted EU-US Data Privacy Framework.[4]
In the current Canadian privacy context, note should be taken of the European Commission’s ruling for two main reasons.
The benefits of adequacy
Firstly, as noted, it means that organizations both in the EU and Canada can continue to conduct business involving the exchange of personal data between those jurisdictions without any restrictive or limiting measures. There was concern that, with the EU’s adoption of the GDPR to succeed the Data Privacy Directive including providing for more stringent protective rules and significantly higher financial penalties, the required review of PIPEDA’s adequacy would find it deficient with the result that the status would be lost. This concern was perceived as a prime motivator for the federal government’s introduction of Bill C-27, enacting the proposed Consumer Privacy Protection Act (CPPA) as an updated replacement for PIPEDA, including a number of new protective provisions inspired by the GDPR.
Impact on privacy reform
This consideration – to enact a modern federal privacy law more in line with the GDPR – points
to the second reason why the EU’s ruling is notable. The prospect of a potential negative adequacy decision under the GDPR has been seen not only as a key motivator to bring forth Bill C-27 but also for government to make amendments to the bill in response to commentaries submitted to the government and/or to the INDU Committee[5] in its consideration of the bill. There is concern among some privacy advocates that with PIPEDA’s adequacy status now re-confirmed, the government’s incentive to move forward expeditiously to pass Bill C-27, or to adopt further amendments to the bill, will weaken or potentially vanish.
Clearly, irrespective of any potential impact on Canada’s privacy reform process, the reconfirmation of PIPEDA’s adequacy is a good result for Canadian organizations, which will not be required to comply with the more cumbersome procedures for EU data exchange that have faced their US counterparts. In terms of making Canada a desirable place to locate a business, or incentivizing international organizations to invest, in particular in the technology space, the EU decision is a positive step.
With respect to the impact of the adequacy decision on the current reform process, several observations can be made, most importantly that it should not have any material impact.
Firstly, it can be noted that there are important drivers for federal privacy reform, including making our law more in alignment with the GDPR, entirely apart from any adequacy requirement. It is recognized that PIPEDA needs to be modernized to address data technology developments over the twenty years since it became law. The GDPR, together with ancillary legislative and regulatory initiatives in Europe,[6] is recognized as the current international “gold standard” for modern privacy regulation and oversight.
Bill C-27 has been advanced by the government as part of its “Digital Charter”[7] to address these developments and, as part of this thrust, draws significantly from the GDPR – such as with a “legitimate interest” alternative to express consent, rules for de-identification of data, mobility rights, a right to be forgotten, an order-making power, and significant financial penalties. Importantly, Minister Champagne has indicated to the INDU Committee that he will table an amendment to the bill recognizing privacy as fundamental right – a key precept underlying privacy regulation in Europe.[8]
In this context, it is highly unlikely that the government would now take its foot off the gas in pressing for a reformed law. Arguably, it can be surmised, that Bill C-27, together with the amendments proposed by the government to date, should be considered a “floor” for the ultimate form that the CPPA will take. Above this base level for the reform law, one can identify a number of adjustments advanced across the spectrum of stakeholders appearing before the Committee that should be considered in settling the final version. These include: strengthening the legitimate interest rule, providing for specific protections for children (some of which were addressed in the Minister’s communication regarding further amendments), clarifying the rules regarding anonymization, enhancing the rights of individuals in respect of automated decision (AI) systems, a right to the de-indexing of search results, and mandating a role for privacy impact assessments in specific instances such as new technology projects and cross-border transfers.
Adopting within the reformed law some or all of these additional precepts would not only draw the CPPA closer to the international gold standard of the GDPR but, more concretely, bring it into greater alignment with Quebec’s Law 25 – that province’s reformed private sector privacy law. Law 25, which tracks more closely the GDPR than does Bill C-27, currently represents the most privacy-protective regime in Canada.
A key further driver for a reformed federal privacy law, embodying “state of the art”, technology-oriented, protective provisions, is efficiency of compliance, both inter-provincially and internationally. Increasingly, organizations are looking to a single, uniform privacy infrastructure that conforms to standards in all jurisdictions. This is the “international comity” precept – recognized by the European Commission in its Report with reference to the need for adequacy but having broader relevance in the current multi-jurisdictional data context:
Importantly, this first review takes place against the backdrop of the exponential development of digital technologies. Over the past decades, the importance of adequacy decisions has increased considerably as data flows have become an integral element of the digital transformation of the society and the globalisation of the economy. The transfer of data across borders has become part of the daily operations of European companies of all sizes, across all sectors. More than ever before, respecting privacy is a condition for stable, secure, and competitive commercial flows.[9]
In this context, it can be argued that Canada’s privacy laws should not be seriously out of line with the laws of other major international jurisdictions.
Within Canada, it is self-evident that the national law should meet the standard of the highest common denominator, as opposed to a lower standard. More practically however is the reality that Canadian organizations will not be inclined to “cherry-pick” which laws they comply with across provinces but likely will, again, comply to a common minimum standard. If this standard is set by Quebec’s Law 25, then it is reasonable to expect that the federal law would align with that.
The Commission’s comments regarding the on-going reform process in Canada
A final reason why there should be no sense for the government to pull back – or lessen its pro-active approach to privacy reform – can be found within comments in the European Commission’s Report addressing the progress of reform in Canada. In this regard, the Commission noted case law and regulatory developments that in its view have increased privacy protections, recommending that these be enshrined within the legislative reform process currently underway, and indicating that it will continue to monitor this process:
….. the Commission recommends enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate these requirements. The ongoing legislative reform of PIPEDA could notably offer an opportunity to codify such developments, and thereby further strengthen the Canadian privacy framework. The Commission will closely monitor future developments in this area.[10]
In stating its conclusion of adequacy, the Commission highlighted the PIPEDA reform process, indicating that such reform could further strengthen privacy protections, including in areas relevant for the adequacy finding. One can surmise from these comments that the Commission could view Canada’s adequacy differently should reform not keep pace with globalisation and digitisation trends.
Summary and conclusions
In sum, Canadian-based organizations can look to continuing their ability to communicate data with their European contacts without concern of cross-border privacy restrictions.[11] To the extent that the looming adequacy decision was a motivator for reform of Canada’s privacy laws, it may be posited that the result should not have any material impact. There are strong incentives for the modernization of the current national law in particular, for reasons of alignment both inter-provincially and internationally – reasons that organizations focussing on efficiency of operations will be concerned with.
Finally, in its Report, the European Commission took notice of the current reform process, to the effect that it will maintain a “watching brief”, with a view to expected modernizing amendments that will be relevant to Canada’s adequacy status.
For more information please contact: David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. © David Young Law 2024
Read the PDF: EU confirms PIPEDA’s adequacy status under the GDPR
[1] Report From the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC, January 15, 2024.
[2] Personal Information Protection and Electronic Documents Act.
[3] Directive 95/46/EC of the European Parliament, predecessor of the GDPR.
[4] Successor to the now invalidated EU-US “Privacy Shield” and its predecessor the “Safe Harbor” regime.
[5] Parliamentary Standing Committee on Industry and Technology
[6] Artificial Intelligence Act (2023 – not in force); e-Commerce Directive (2000); Digital Services Act (2022).
[7] Canada’s Digital Charter, Innovation, Science and Economic Development Canada.
[8] Correspondence from the Honourable François-Philippe Champagne – 2023-10-20, Minister of Innovation, Science and Industry.
[9] Report at p. 2.
[10] Report at p. 9.
[11] Subject to the proviso of complying with the Law 25 rules for transfers of data outside Quebec.