Worldwide: European Commission Approves Of Canada's Data Protection Regime (Again)

On January 15, 2024, the European Commission ("Commission") renewed Canada's adequacy status under the General Data Protection Regulation ("GDPR").¹ You can read the Commission's full report setting out its adequacy decision here (the "Report").

The following bulletin will give you a brief overview of the GDPR, the importance of obtaining adequacy status, and why Canada's adequacy status is important for Canadian businesses.

What is the GDPR?

The European Union ("EU") enacted the GDPR in May 2018.² The GDPR strengthens the protection of all EU citizens with respect to the transfer of their personal data and harmonizes national data privacy laws throughout the EU.³The GDPR requires all companies processing the personal data of EU residents, including companies established outside the EU if they operate in the EU, to comply with the data protection rules set out therein.⁴ For example, the GDPR requires that companies obtain "specific, informed and unambiguous consent" in order to process an individual's personal data.⁵

What is adequacy status?

Pursuant to the GDPR, if the Commission finds that a country outside of the EU offers an adequate level of data protection, that country can obtain adequacy status.⁶ Obtaining adequacy status involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries, and the adoption of the decision by the European Commission.⁷ However, adequacy status may be revoked at any time if the European Parliament and the Council request that the European Commission withdraw, maintain or amend its adequacy decision.⁸

Prior to the GDPR, 11 countries were granted adequacy status under the then Data Protection Directive 95/46/EC, namely: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. These adequacy decisions have remained in force so far, even after the GDPR came into effect.

On January 15, 2024, following its review of the 11 existing adequacy decisions, the Commission renewed Canada's adequacy status alongside the other 10 countries with existing adequacy status.⁹ The Report concluded that the aforementioned countries' existing data protection frameworks are aligned with the EU's framework and provide significant data safeguards for personal data.¹⁰

The Commission found that Canada continues to provide an adequate level of protection for personal data transferred from the EU to recipients subject to Canada's federal private sector privacy law, the Personal Information Protection Electronic Documents Act¹¹ ("PIPEDA").

What does this mean for Canadian businesses?

If a country has adequacy status, personal data can flow from the EU to that country without the need for any additional data protection safeguards, such as standard contractual rules, the need for additional data processing addenda or authorizations to transfer the data. The additional safeguard requirements could be cumbersome and onerous for some organizations. Canada's adequacy status results in increased efficiency for Canadian businesses transferring personal data from the EU to Canada.

What's next?

To ensure Canada continues to maintain its adequacy status under the GDPR, the federal government will need to bring its privacy laws into closer alignment with the GDPR.

Canada's federal privacy legislation, PIPEDA, is expected to see an overhaul soon. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 ("Bill C-27") has completed its second reading in Parliament and is undergoing consideration by the Standing Committee on Industry and Technology.

Bill C-27 introduced bold new measures that will bring Canadian privacy law into closer alignment with the GDPR. Closer alignment with the GDPR will continue to assist Canada in maintaining its adequacy status under the GDPR, allowing Canadian businesses to transfer personal information from the EU to Canada without additional data protection safeguards as discussed above. For more information on Bill C-27, see our recent blog post, To Five Privacy Developments in Canada: A Year in Review 2023.

The authors would like to acknowledge Torkin Manes' Articling Student, Lexi Cooper, for her invaluable contribution in drafting this bulletin.

Footnotes

1. European Commission, Press Release, "Commission finds that EU personal data flows can continue with 11 third countries and territories" (15 January 2024), online: https://ec.europa.eu/commission/presscorner/detail/en/ip_24_161.

2. Government of Canada, The European Union's General Data Protection Regulation (Ottawa: 8 November 2023) online: https://www.tradecommissioner.gc.ca/guides/gdpr-eu-rgpd.aspx?lang=eng.

3. Ibid.

4. Ibid.

5. Ibid.

6. European Commission, Adequacy Decisions: How the EU determines if a non-EU country has an adequate level of data protection, online:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#:~:text=How%20the%20EU%20determines%20if,adequate%20level%20of%20data%20protection.
&text=The%20European%20Commission%20has%20the,adequate%20level%20of%20data%20protection. 

7. Ibid.

8. Ibid.

9. Supra note 1.

10. Ibid.

11. SC 2000, c 5.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.