Canada’s Adequacy Status at Risk

Canada’s Adequacy Status at Risk

Data Protection Laws Lagging Behind

So this is what we know about the future of Canada’s adequacy status that gives European entities the ability to send personal data to Canada for processing: On May 25, 2018 when the EU General Data Protection Regulation (GDPR) came into force, the countdown commenced for the review of Canada’s adequacy within four years, taking to us to, at the latest, 2022. Canada regularly provides updates to the European Commission (with the last being in December 2019).

Canada will likely be judged severely for its data protection rules that do not include main elements of the GDPR, such as: data subject rights, including the right to data portability, the right to object or the right to erasure; processor responsibilities; and the rules for the onward transfer of personal data to another third country. Thus, Canada likely doesn’t meet the test of “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”. Although Canada does have robust judicial remedies, the Office of Privacy Commissioner of Canada (OPCC) lacks enforcement powers. The Office can enter into compliance agreements and name organizations being investigated or audited, however the regulator still doesn’t have order making powers.

Now, with Brazil’s GDPR-like data protection law, LGPD, which came into force last week on September 18th, it is also anticipated that one of the first tasks of the Brazil National Data Protection Authority (ANDP) will be to determine which countries they will deem to have adequate privacy frameworks to allow the free flow of Brazilians’ data. The criteria will include alignment of security requirements with the LGPD and the existence of judicial and institutional guarantees for respecting the rights of personal data protection.

Knowing that Canada is lagging behind when it once was a leader in data protection, PIPEDA amendments have been on the horizon for some time. On January 17, 2020, the Prime Minister’s Office delivered a mandate letter to the Minister of Innovation, Science and Industry, outlining a number of data protection initiatives for the Ministry. Notably, some of these initiatives include:

  • advancing Canada’s Digital Charter;
  • enhancing the power of the Office of Privacy Commissioner of Canada, such as adding the ability to award administrative monetary penalties, creating new offences, or providing additional oversight by the Federal Court of Canada to incentivize compliance;
  • establishing a new set of rights for individuals online, including:
      • data portability/privacy; and
      • the right to be forgotten.
  • enhancing knowledge of how personal data is being used; and
  • creating new regulations for large digital companies to protect personal data.

Each of these amendments, if implemented, have the potential to create a fundamental change in the way private sector organizations in Canada collect, use, and disclose personal information. I am all in favour of PIPEDA amendments and filling in gaps at the provincial level, as this work is long overdue, but it is also absolutely critical that the impact of privacy statutes on business be carefully reviewed. Quebec’s Bill 64, which is now being discussed in committee hearings, was inspired by the GDPR but is in many ways more onerous on Quebec businesses (e.g. requiring an assessment for all processing not just processing that is high risk like under the GDPR). In my opinion, Bill 64 is a great example of how to do it wrong. New privacy statutes and amendments to existing frameworks must be non-prescriptive, technology neutral and well thought through (for example, how does consent practically work with complex data flows?).

At the end of the day, personal data transfers made possible through adequacy is much cleaner and simpler than requiring model clauses or BCRs, as in the U.S. Having advised both Canadian and American companies on privacy, I wouldn’t want to see Canada lose this advantage in North America and the recognition of strong data protection that comes with it. It is important to get ready with some promising privacy legislative progress – greater scrutiny from outside our borders is on the way.