To preserve adequacy status with the EU, the Canadian Government will update PIPEDA
Canada's newly re-elected Liberal government confirmed this week that it will prioritize strengthening Canada’s privacy laws, including through new and larger fines for violations, according to the minister responsible for the file.
The announcement is not really news. Nor is it really - or I should say entirely - about privacy. Let me explain.
Canada's 'Adequacy Status'
Canada is currently one of a small number of countries that has 'adequacy status' with the EU. This means that transfers of personal data from the EU to Canada can occur without requiring additional mechanisms to ensure EU privacy rights are respected, such as Standard Contractual Clauses or Binding Corporate Rules.
Canada gained 'adequacy' status well over a decade ago. At the time, the EU was consolidating its approach to privacy under the 1995 EU Data Protection Directive. The directive required that all transfers of EU personal data to 'third countries' (non-EU countries) be safeguarded by certain protections, but if an 'adequacy decision' was adopted by the European Commission (EC) for a non-EU country, transfers of EU personal data to those third countries would be permitted without the need for additional safeguards or the need for foreign firms to individually show compliance with the Directive.
The EC recognized Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) as providing adequate privacy protection in 2001, and reaffirmed its decision in 2006. What is often lost in the history is how trade - and the need to preserve the free flow of data transfers for international companies based in Canada - served as the impetus for PIPEDA. Canada implemented PIPEDA in part because it was good policy, but also in (large) part, because it was good trade policy. With PIPEDA, Canada could seek 'adequacy status', and as a result, make life much easier for Canadian businesses doing business internationally.
The GDPR and Adequacy Status Review
In 2018, the EU General Data Protection Directive (GDPR) came in to force, and in doing so, updated and strengthened the EU's regime for data protection. The GDPR did not provide for any sunset clause for existing adequacy decisions, but it did provide for a periodic review of adequacy decisions at least every four years. As a result, the EC is now undertaking a review of all adequacy decisions to determine if those countries who today have such status should continue to hold such status when their laws are compared with the newer, tougher GDPR. The EC's review of existing adequacy decisions is due to be completed in May 2020.
Bruno Gencarelli, Head of International Data Transfers and Protection Unit at the EU Commission, said back in July that the Commission has asked the countries in question to update the Commission on any legislative changes and enforcement of their existing laws. Gencarelli said that the Commission is looking for ‘essential equivalence’ as determined by the Court of Justice of the European Union, not an identical system to the GDPR. The aspects that are important include individual rights, and importantly, how the law is being enforced.When asked whether the Commission would suspend existing decisions due to an unsatisfactory review, Gencarelli said that he cannot rule out these types of measures but stressed that the Commission aims at continuity.
Which brings us to Canada and the new found urgency to update its privacy laws. As in 2001, Canada is again scrambling to put together new legislation that would allow it to achieve adequacy status. And as in 2001, trade is primarily driving the show.
The free transfer of personal data from the EU to Canada is a competitive advantage for Canadian companies that don't transfer their data onward to a third country (this is admittedly uncommon in practice, as many companies store their data in U.S. clouds, but that's a discussion for another day). To compare with the U.S., which has no comprehensive federal privacy law and thus no adequacy status, currently the only lawful means for transerring EU personal data to the U.S. is with Standard Contractual Clauses (which are themselves not updated for GDPR and difficult to work with), Privacy Shield Certification, or Binding Corporate Rules. And - importantly! - both the Standard Contractual Clauses and the Privacy Shield framework are actively under attack and review in the Court of Justice for the European Union.
Canada, however, has dragged its feet on updating its privacy laws for a GDPR world. On February 28, 2018 - almost two years ago! - the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The questions before the Committee in Part 5 of the Report were: a) whether PIPEDA in its current form would successfully maintain its adequacy status; and b) if not, what changes may be require in order to maintain such status. Some of the areas of obvious discrepancy as between the EU GDPR and PIPEDA that were identified are as follows:
|Right of data portability||yes||no|
|Explicit right to erasure||yes||no|
|Data protection by design principle||yes||no|
|Right to explanation re: automated decisions)||yes||no|
|Enforcement powers and administrative monetary penalties||yes||no|
On the last point, several witnesses indicated that the lack of enforcement powers constituted PIPEDA’s greatest adequacy 'gap', a sentiment echoed by the privacy commissioners of British Columbia and Canada this week in their joint investigation of B.C.-based political consulting firm AggregateIQ.
What To Expect Next
As I said at the beginning, none of this is 'news', because it was always expected by privacy professionals that Canada would repeat what it had done in 2001 and make efforts to ensure it maintained its adequacy status. What is news is just how delayed the Canadian government has been on this issue.
Regardless of how Canada is getting there, however, we can likely expect updates to PIPEDA to be introduced this year that bring the legislation into harmonization with the GDPR. Among other things, it will likely include significant enforcement powers for the Federal privacy commissioner.
Given that the impetus for reform is rooted in trade policy, and given that the EC is on a fairly aggressive timeline to complete its adequacy reviews, one can expect such updates to come quickly. In any event, the question is not if, but when, GDPR-like legislation will be coming to a Canadian province near you.
If you've completely dismissed or ignored the GDPR out of the belief that you're not subject to it, now would be a good time to start looking at what you might need to do within your organization to comply with substantially similar legislation.
And if you need some help in that regard, I'm always happy to chat.😉