The European Union’s recent review of Canada’s data protection adequacy, a follow-up to the initial adequacy decision made in 2001, offers an insightful perspective into Canada’s compliance with evolving international data privacy standards. This review, part of the EU’s broader evaluation under the General Data Protection Regulation (GDPR), reaffirms Canada’s status but also subtly influences the trajectory of its ongoing privacy law reform.
Understanding the Context of the Review
The EU Commission’s assessment isn’t just a static validation but a dynamic evaluation that considers legal and technological developments in data protection. Initially granted in 2001, Canada’s adequacy status under the EU’s Data Protection Directive has been reassessed to ensure continued alignment with the GDPR’s more stringent requirements.
Key Aspects of the Review
The Standard is designed to be adaptable across various contexts, industries, and future innovations, ensuring that humans always retain control over machines. Key features are:
- 1. Legislative Developments: The Commission recognizes Canada’s efforts in strengthening data protection through legislative amendments since 2001. The example the EU Commission calls out is the expansion of access and rectification rights to all persons, not just citizens, permanent residents, and those present in Canada, a change that affects the public sector law. We can speculate that other changes the EU has in mind here are the changes to PIPEDA that the Digital Privacy Act introduced in 2015, e.g., clearer consent and mandatory breach notification requirements, and enhanced powers for the Privacy Commissioner.
- 2. Government Data Access: Rules governing Canadian public authorities’ access to data are acknowledged to be clear and precise, aligning with constitutional standards. This finding is a key aspect of the adequacy decision that not only considers the privacy laws in place but also their enforceability, i.e., whether there would be legal recourse against state actors accessing personal information of Europeans once their data is in Canada.
- An example showing the relevance of these requirements is the RCMP’s former use of Clearview AI for law enforcement purposes. Canada’s federal police service used the services of Clearview AI who had scraped photographs of individuals from the internet without their knowledge and consent, hence in contravention of PIPEDA. The RCMP pushed back on the Office of the Privacy Commissioner’s findings that the RCMP had contravened the public sector privacy law, the Privacy Act, by not ensuring that the personal data they were using via Clearview AI had been sourced legally. They argued that it would be an unreasonable obligation to require the RCMP to ensure the compliance of its third-party service providers with PIPEDA. Importantly, the Privacy Act has not been amended since, but it seems that the EU is satisfied with Canada, based on their remark that Canada is among the countries that “clarif[ied] certain privacy rules […] building on enforcement practice or case law.”
- 3. Current Adequacy Conclusion: The EU concludes that Canada maintains an adequate level of data protection in so far as PIPEDA is concerned.
Impact on Canada’s Privacy Law Reform
Now that the EU has decided to continue recognizing Canada’s adequacy at the current state of Canada’s data protection framework, it will be interesting to see how this will influence the ongoing privacy reform. We can potentially expect the timely enactment of Bill C-27 to be affected as follows:
Potential Reduction in Reform Urgency
The EU’s continued recognition of Canada’s adequacy might create a perception that the existing data protection framework is sufficiently robust, potentially reducing the urgency for immediate reforms. Since the adequacy decision is not explicitly conditional on further reforms, it could be interpreted as an endorsement of the current state, possibly diminishing the perceived need for rapid legislative changes.
Arguments for Continued Reform
Despite the above, there are compelling reasons why the EU’s review process and the broader global data protection landscape may still encourage further reform in Canada:
- Global Data Protection Trends: The global trend towards stricter data privacy regulations, exemplified by the GDPR, underscores the need for Canada to continually adapt its framework to remain aligned with international standards.
- Dynamic Adequacy Assessment: The EU’s approach to adequacy as a ‘living instrument’ implies that Canada’s data protection regime must evolve in tandem with EU standards to maintain its adequacy status.
- Technological Advancements: Rapid technological changes demand ongoing updates to privacy laws to address emerging challenges in data protection and cyber security.
- Trade and Economic Considerations: Maintaining alignment with EU standards is crucial for facilitating uninterrupted data flows, which are vital for trade and economic relations between Canada and the EU.
- Public Trust and Compliance: Strengthening privacy laws enhances public trust in digital services and ensures compliance with international best practices, benefiting both consumers and businesses.
- Recommendations for Improvement: The EU’s review, while positive, also highlights areas for improvement in Canada’s privacy framework, i.e., “enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate these requirements.” This serves as a (vague) roadmap for future reforms to address identified gaps, even though the report does not set out any concrete requirements. We do, however, learn that during the process of the adequacy review there was an “intense and fruitful” dialogue between the countries under review and EU institutions. It thus seems likely that more feedback has been given to Canada than the report gives away.
In summary, while the EU’s review reaffirms Canada’s adequacy in terms of data protection, it should not be viewed as a reason to decelerate the ongoing privacy reforms. Instead, it should be seen as a milestone in a continuous journey towards enhancing data privacy standards. The dynamic nature of data protection laws, the ever-evolving technological landscape, and the importance of international data flows necessitate an ongoing commitment to reform. Canada’s proactive approach in aligning with global standards will ensure its continued reputation as a trusted and responsible player in the international data protection arena.