(Read the original article by Kirsten Thompson, Charles Morgan and Maureen Gillis at Cyberlex)

As reported in our recent post,  on February 28, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled in the House of Commons a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. The recommendations in the Committee’s Report are also heavily influenced by the direction set in the European Union General Data Protection Regulation, (“GDPR”) which comes into force this year.

We have prepared a multi-part series of posts focusing in more depth on each section of the Report.

In this post, we summarize and comment on the Committee’s findings set out in Part 5 of the Report, which assesses whether amendments to PIPEDA may be required in order to ensure that Canada maintains its current EU adequacy status (i.e. as a country that provides “adequate protection” for personal data in order to facilitate cross-border data flow between the EU and Canada).

The other posts in this series are:

Part 1– Overview and Context of the Report

Part 2 – Consent

Part 3 – Online Reputation/ “Right to be Forgotten”

Part 4 – Enforcement Powers of the Privacy Commissioner

Part 5 – Adequacy of PIPEDA under the GDPR

Assessing Adequacy

In 1995, the EU adopted Directive 95/46/EC (the “EU Data Protection Directive”). Article 25 of that Directive prohibits members states (and companies within their borders) from transferring personal data to a non-member state whose laws do not adequately protect the data. Non-member states can be brought into the zone of protection if the EU determines their domestive privacy regime to be “adequate”. For the purposes of Article 25, Canada’s PIPEDA received a favourable adequacy decision in 2001.

On May 25, 2018, the EU GDPR will replace the EU Data Protection Directive. Under the GDPR, the EU will again have to assess the adequacy of PIPEDA’s protections every four years. In the context of the latter assessment, however, PIPEDA will ultimately be assessed in light of the new, higher standards of protection set out in the GDPR. Accordingly, the questions before the Committee in Part 5 of the Report were: a) whether PIPEDA in its current form would successfully maintain its adequacy status; and b) if not, what changes may be require in order to maintain such status.

Several witnesses to the Committee recommended that an analysis of requisite amendments not focus too narrowly on simply meeting the GDPR adequacy requirements or on mirroring, one by one, its provisions. Instead, several witnesses argued that the Canadian privacy regime should continue to evolve in a manner consistent with a broader range of international standards to address new issues such as the “Internet of things”. Indeed, the European Data Protection Supervisor indicated in his submission that the applicable standard of adequacy is now that the protections be “essentially the equivalent” and, accordingly, that the Committee should not focus on a point by point mapping of the new requirements of the GDPR, such as privacy by design and data portability, but rather that the Canadian legislator take a “global approach” to the assessment of adequacy.

In this context, some of the areas of obvious discrepancy as between the EU GDPR and PIPEDA are as follows:

As regards the last point, several witnesses indicated that the lack of enforcement powers constituted PIPEDA’s greatest adequacy “gap”.

Ultimately, the Committee did not indicate any specific position as regards whether any amendments to PIPEDA were required or, if so, what amendments should be adopted.

Instead, the Committee simply recommended that the Government of Canada should determine what changes, if any to PIPEDA will be required in order to maintain its adequacy status under the GDPR and, if it is determined that such changes required to maintain such status are not in the Canadian interest, that the Government of Canada create alternate mechanism to allow for the seamless transfer of data between Canada and the EU.

Finally, as the Committee noted that the adequacy assessment would also apply to Canada’s provincial privacy laws, the Committee recommended that the government of Canada work with the provinces and territories to ensure that all jurisdictions are duly aware of the relevant adequacy requirements.

Take aways

Canada’s current adequacy status will be maintained under the GDPR at very least until the EU decides to perform a new adequacy assessment. This latter exercise must occur within four years of the coming into force of the EU GDPR. As there are several areas of obvious discrepancy as between the GDPR requirements and the privacy protections set out under PIPEDA in its current form, we can expect that the Government of Canada will conclude that amendments to PIPEDA will be required to maintain its adequacy status on a going forward basis.

In this context, it is likely that the Government of Canada will decide to proceed with at least some amendments to PIPEDA, although its assessment of required changes will be taken on a global basis (rather than on a point by point mapping of rights and obligations set out in the GDPR) and that such assessment with be made on the basis of the best interests of Canada, in light of an ever-evolving context for data protection.