I appeared before the INDU Standing Committee on October 26th, 2023, and submitted a written brief on Bill C-27. I wish to supplement that submission in the light of the European Commission’s recent judgement that the Canadian privacy regime continues to offer an “adequate level of protection” and thus satisfies European legal standards. Data can, therefore, continue to flow freely to Canada from the EU, at least to the extent that the receiving organizations are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). Many, including myself, were surprised by this judgement. Given that it took over 5 years to be concluded, it is puzzling that the Commission could not have waited a little longer to evaluate the new and reformed privacy protection regime, represented in Bill C-27.
While this judgement will be welcomed by the Canadian government, and by businesses that continue to rely on unimpeded flows of personal data from the EU for commercial purposes, it is important to see this decision in context and to evaluate it in its entirety. This decision should not be read as an invitation to weaken the existing safeguards in the Consumer Privacy Protection Act (CPPA), which has already been subject to many compromises, on the grounds that the European Commission has found the status quo “adequate” under European law.
The “adequacy test”
The European Commission judged Canada’s privacy protection regime, represented through PIPEDA, adequate back in 2001. Companies might import data through other mechanisms, including standard contracts, binding corporate rules, certification schemes and codes of practice. But achieving the safe harbor that adequacy status confers is by far the most preferred. It has proven to be a comprehensive and elegant solution that can apply to any business, including SMEs, reducing the need for further contractual or other solutions, and the legal fees associated.
The adequacy program is now dictated by the requirements of the EU’s General Data Protection Regulation (GDPR) which came into force in May 2018, as interpreted by a series of decisions by the European Court of Justice (ECJ). Other countries’ laws do not need to be a “photocopy” of the GDPR to be adequate. The test lies in whether, through the substance of privacy rights and their effective implementation, enforceability and supervision, the system as a whole delivers a level of protection that is “essentially equivalent” to that provided by the GDPR. Essential equivalence is the standard stipulated by the ECJ in the so-called Schrems I decision of October 2015.
The adequacy test requires a comprehensive assessment of the system of personal data protection as a whole — both the substantive rules, and their effective implementation and enforcement. This is not just an assessment based on data protection law. Other sectoral legislation may be considered, as well as case-law, professional rules and security measures, allowing an assessment of the overall profile and effectiveness of the entire personal data protection regime.
Adequacy as a process and not an endpoint
In its recent report, the Commission has concluded that over the years the Canadian privacy protection regime has “converged” with that of the EU. And the accompanying staff report documents changes in Canadian law and policy introduced since 2001 that allegedly support this conclusion. Those changes include: the passage of the Digital Privacy Act in 2015; the passage of the Canada Anti-Spam Legislation (CASL) in 2010; mandatory breach notification (2015); and various decisions by the Office of the Privacy Commissioner (OPC) on consent, sensitive data, and international data transfers. The report notes with approval the various investigations by the OPC, the system of complaints investigation and resolution, and the various policy tools developed to assist compliance and accountability.
Does the collection of legal facts constitute evidence of a “convergence” with European standards? The report does not mention the various criticisms of PIPEDA that you may have heard from witnesses, in particular the severe constraints caused by the absence of order-making powers from the Commissioner (notably with respect to Facebook). Moreover, the documentation give the impression that sections were cut and paste from sources provided by government ministries, particularly ISED and Justice. There are no references to sources other than official sources. And there is no indication of which “local experts” were consulted. For the most part, the assessment is based on descriptions of the “black letter” law, with scant evidence of the actual effects on the ground.
Nevertheless, Canada, and the other jurisdictions whose adequacy judgements have been carried over, have not only maintained an adequate level of protection, but allegedly further converged with the evolving EU legislative framework. Adequacy assessments are “living instruments.” And we are now “adequacy partners” — a privileged club engaged in a mutually beneficial journey designed to advance data protection rights around the world.
Bill C-27 as part of the EU Commission’s assessment
In this regard, the current reform process was very much under consideration during the Commission’s assessment. The case report notes: “The proposed Consumer Privacy Protection Act would amend PIPEDA in several ways, e.g., by codifying certain clarifications provided over the years by courts and the OPC (for instance on the validity and modalities of consent, requirements for the legitimacy/lawfulness of data processing, the right to deletion and international data transfers) and by further strengthening the powers of the OPC.” The new powers for the OPC in C-27 are indeed to be welcomed. I am not so sure that the CPPA strengthens the consent requirements or the rules on the legitimacy of data processing. And there is nothing in the new bill on international data transfers – an issue I critiqued in my prior submission (see below).
The main report notes with approval how PIPEDA has been strengthened by case law and guidance from the OPC. It then adds that “the Commission recommends enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate these requirements. The ongoing legislative reform of PIPEDA could notably offer an opportunity to codify such developments, and thereby further strengthen the Canadian privacy framework. The Commission will closely monitor future developments in this area.” The report mentions the conditions for valid consent, and the definitions of sensitive data, as examples of such developments.
Maybe this should be read as a vague warning? It is certainly evidence of the Commission’s insistence that adequacy assessments are an ongoing and iterative process. And one could reasonably ask whether the positive adequacy assessment would have been granted had Canada not embarked out a program of legislative reform of PIPEDA. Implicitly, the future prospect of the CPPA is part of this assessment, even though the Commission did not have a finalized law to evaluate. That prospect is also evidence of a “convergence” – a positive step and one that should not be abrogated.
It is also worth noting that the Commission has stressed that it will not hesitate to use the powers granted by Article 45(5) of the GDPR to suspend, amend or withdraw an adequacy decision should data protection safeguards be mitigated or impaired. It should be remembered that adequacy status was withdrawn from Quebec in 2014.
The emphasis on access to personal data by public authorities
It is also significant that most of the accompanying country report on Canada is not related to B2B transfers of personal data at all, but to constitutional protections under the Charter, case law, and statutory protections for access to personal information by public authorities. These issues fall largely outside the provisions of C-27. And the Commission concludes: “In the area of government access to personal data, public authorities in Canada are subject to clear, precise and accessible rules under which such authorities can access and subsequently use for public interest objectives, in particular for criminal law enforcement and national security purposes, data transferred from the EU.” Many in Canada’s civil liberties community would disagree – but they were not consulted.
The legal standard of “essential equivalence” requires minimum safeguards ensuring that law enforcement and intelligence agencies cannot access data beyond what is necessary and proportionate to pursue legitimate objectives, and that data subjects enjoy effective and enforceable rights against such authorities. This analysis is prompted by the requirements of the second Schrems decision of July 2020. This judgement is very important in the context of the ongoing dispute with the United States and the current legal challenges to the third intergovernmental arrangement (the Trans-Atlantic Data Privacy Framework) for secure data transfers between the EU and the US. The Commission has, therefore, staked a position that Canada’s rules for the protection of personal data by public authorities are adequate, whereas those of the US are still under question.
The need to align C-27 with Quebec’s Law 25
The final point relates to Quebec, which has already passed a modernized data protection law, in closer alignment with the GDPR, than is the CPPA. In the final analysis, the convergence of the federal privacy law with Quebec’s new Law 25 is more pressing for the modernization of Canadian personal data protection policy, than is alignment with European standards. Any weaker privacy standards in the CPPA should not undermine Quebec’s efforts, and prompt corporate decisions to operate outside Quebec in the hope of avoiding their more stringent legal requirements. Several areas of concern have been noted by witnesses during the INDU hearings. I will reiterate one important issue here.
In my prior submission, I noted that there is no section in the CPPA on international data transfers, particularly ironic given the emphasis on global flows of personal data in all the government’s explanatory material. I know of no other modern privacy law that fails to give businesses proper guidance on what they must do if they want to process personal data offshore. The only requirement is for the organization to require the service provider (by contract or otherwise) to ensure a level of protection of the personal information “equivalent to that which the organization is required to provide under this Act” (Section 11(1)). This due diligence applies whether the business is transferring personal data to another province in Canada, or overseas to a country, that may or may not have strong privacy protection or indeed a record for the protection of human rights. This is particularly troubling because “an organization may transfer an individual’s personal information to a service provider without their knowledge or consent” (Sec. 19)
I do not advocate a Canadian “safe harbor” or adequacy approach like the EU. But Quebec has, I believe, legislated an appropriate compromise under section 17 of Law 25 which requires businesses to do an assessment, including of the legal framework, when sending personal information outside Quebec.[1] As many Canadian businesses will have to comply with the Quebec legislation, these provisions should be mirrored in C-27.
Conclusion
I have outlined reasons why the recent adequacy judgement about Canadian data protection should be read in context and in its entirety. The arguments for the modernization of Canada’s privacy protection framework advanced by the government and other stakeholders over the last several years remain valid. The reality is that Canada needs stronger privacy protections for our citizens, regardless of the demands of our European partners. Bill C-27 has been subject to many compromises already. It should not further be weakened on the grounds that the status quo has been found “adequate.” On the contrary, the committee has heard from many witnesses about how the Bill should be strengthened to advance the essential human right to privacy, both to promote the rights of our citizens, and to protect the vital interests of Canadian businesses in the global economy.
______________________
[1] Quebec, An Act to Modernize legislative provisions as regards the protection of personal information (Law 25) (2022). Sec. 17: “Before communicating personal information outside Québec, a person carrying on an enterprise must conduct a privacy impact assessment. The person must, in particular, take into account:
(1) the sensitivity of the information;
(2) the purposes for which it is to be used;
(3) the protection measures, including those that are contractual, that would apply to it; and
(4) the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State.”