The “Adequacy” Test: Canada’s Privacy Protection Regime Passes, but the Exam Is Still On

Other countries’ laws do not need to be a “photocopy” of the GDPR to be adequate.

April 3, 2024
2023-10-05T000000Z_1763851322_MT1IMGOST000QGWINM_RTRMADP_3_IMAGO-IMAGES(2)
An image of a cloud computing sign and network. (IMAGO/Westlight via Reuters Connect)

On January 15 of this year, the European Commission released a report formally declaring that Canada, along with 10 other jurisdictions, continues to offer an “adequate level of protection” for personal information transferred from the European Union. Digital data can, therefore, continue to flow freely to Canada from the European Union, at least to the extent that the receiving organizations are covered by Canada’s 23-year-old data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada has enjoyed this status since 2001.

Adequacy assessments are now dictated by the requirements of the European Union’s General Data Protection Regulation (GDPR), which came into force in May 2018. Companies might import data through other mechanisms, including standard contracts, binding corporate rules, certification schemes and codes of practice. But Canada’s being recognized as a safe harbour, which adequacy status confers, is by far the most preferred and efficient solution for businesses. Adequacy has proven to be a comprehensive, elegant solution that can apply to any business, including small and medium-sized enterprises, reducing the need for further contractual or other solutions, and the legal fees associated.

Adequacy assessments have economic value, therefore. In guaranteeing the uninhibited flow of personal data, they facilitate commercial exchanges involving transfers of personal data in the international digital economy and reduce the risk of the imposition of unjustified data localization or storage requirements. They encourage cooperation among regulators. They also carry symbolic weight, indicating a general respect for privacy rights in that jurisdiction, and a recognition of the leading role the country plays in the advancement of privacy rights.

Assessing Adequacy

Other countries’ laws do not need to be a “photocopy” of the GDPR to be adequate. The test lies in whether, through the substance of privacy rights and their effective implementation, enforceability and supervision, the system delivers a level of protection that is “essentially equivalent” to that provided by the GDPR. Essential equivalence is the standard stipulated by the European Court of Justice (ECJ) in the so-called Schrems I decision of October 2015, which ruled that the EU Commission’s adequacy determination for the EU-US Safe Harbor Framework was invalid.

The broader legal context is also very important. Privacy protection laws without a general respect for human rights and the rule of law would not pass the test. And the adequacy assessment is not based solely on personal data protection law. Under article 45 of the GDPR, other sectoral legislation, as well as case-law, professional rules and security measures, may be considered, to assess the overall profile and effectiveness of the regime.

Companies might import data through other mechanisms, including standard contracts, binding corporate rules, certification schemes and codes of practice. But Canada’s being recognized as a safe harbour, which adequacy status confers, is by far the most preferred and efficient solution for businesses.

Critically, the reviews must now evaluate the protections in place when personal data is accessed from companies by law enforcement or intelligence services. This was the critical issue in the invalidation of previous data transfer agreements between the European Union and the United States. In the ECJ’s second Schrems decision of July 2020, which invalidated the second EU-US data transfer agreement (The Privacy Shield), the court ruled that law enforcement and intelligence agencies should be prohibited from accessing personal data beyond what is necessary and proportionate to pursue legitimate objectives, and that data subjects should enjoy effective and enforceable rights against such authorities.

Most of the assessment of Canada in the January 15 report is devoted to questions of constitutional, case and statutory law governing access by public authorities to personal information held by corporations. In its findings (section 4.3), the Commission concludes: “In the area of government access to personal data, public authorities in Canada are subject to clear, precise and accessible rules under which such authorities can access and subsequently use for public interest objectives, in particular for criminal law enforcement and national security purposes, data transferred from the EU.” Civil liberties groups in Canada would vehemently disagree with this conclusion — but they were not consulted.

More Questions than Answers

This analysis is very important, in the context of the current legal challenges to the third intergovernmental arrangement (the Trans-Atlantic Data Privacy Framework) for secure data transfers between the European Union and the United States. It sends a message to US regulators that it is possible to meet the European standards — and Canada has allegedly done so. I suspect that this judgment will be examined very carefully by American legal experts.

So, while this judgment will be welcomed by the Canadian government, and by businesses that continue to rely on unimpeded flows of personal data from the European Union for commercial purposes, it also raises far more questions than it answers.

It is important to note that Canada, and the 10 other jurisdictions mentioned in the January 15 adequacy assessment, have not only maintained an adequate level of protection but, allegedly, further aligned themselves with the evolving European Union legislative framework. The GDPR refers to adequacy assessments as “living instruments.” And we are now “adequacy partners” — a privileged club engaged in a mutually beneficial journey designed to advance data protection rights around the world. The word “convergence” is thrown around in the media and in popular discourse (without proper definition). I wrote about policy convergence in data protection back in the early 1990s in my book Regulating Privacy: Data Protection and Public Policy in Europe and the United States. I am sensitive to its misuse.

The accompanying staff report documents changes in Canadian law and policy introduced since 2001 that allegedly support the conclusions about adequacy. Those changes include the passage of the Digital Privacy Act in 2015; the passage of the Canada Anti-Spam Legislation in 2010; mandatory breach notification (2015); and various decisions by the Office of the Privacy Commissioner (OPC) on consent, sensitive data and international data transfers. The staff report notes with approval the various investigations by the OPC, the system of complaints investigation and resolution, and the various tools to assist compliance and accountability.

Does the collection of legal facts present evidence of a “convergence” with European standards? The report does not mention the various criticisms of PIPEDA, in particular the severe constraints caused by the current lack of order-making powers from the Commissioner (notably with respect to Facebook). The reports actually give the impression that they were cut and pasted from sources provided by government ministries, in particular, Innovation, Science and Economic Development Canada and the Department of Justice. There are no references to sources other than official sources.

The staff report does recognize Canada’s ongoing legislative reform efforts. It notes: “The proposed Consumer Privacy Protection Act [CPPA] would amend PIPEDA in several ways, e.g., by codifying certain clarifications provided over the years by courts and the OPC (for instance on the validity and modalities of consent, requirements for the legitimacy/lawfulness of data processing, the right to deletion and international data transfers) and by further strengthening the powers of the OPC.” I agree with the last point. I am not so sure that it strengthens the consent requirements or the rules on the legitimacy of data processing. And there is nothing in the CPPA on international data transfers.

The adequacy assessment report also adds the rather patronizing comment that “the Commission recommends enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate these requirements. The ongoing legislative reform of PIPEDA could notably offer an opportunity to codify such developments, and thereby further strengthen the Canadian privacy framework. The Commission will closely monitor future developments in this area.” The report mentions the conditions for valid consent, and the definitions of sensitive data, as examples of such developments.

The Risks in Rushing to Judgment

Maybe this should be read as a warning? It is certainly evidence of the Commission’s insistence that adequacy assessments are an ongoing and iterative process. And one could reasonably ask whether the positive adequacy assessment would have been granted had Canada not embarked on the program of legislative reform of PIPEDA. It is also worth noting that the Commission has stressed that it will not hesitate to use the powers granted by article 45(5) of the GDPR to suspend, amend or withdraw an adequacy decision should data protection safeguards be mitigated or impaired. It should be remembered that adequacy status was withdrawn from Quebec in 2014.

And with respect to Quebec, we should note that it has already passed a modernized data protection law that is in closer alignment with the GDPR than is the CPPA. In the final analysis, the convergence of the federal privacy law with Quebec’s new Law 25 is more pressing for the modernization of Canadian personal data protection policy than is alignment with European standards. Any weaker privacy standards in the CPPA should not undermine Quebec’s efforts, nor prompt corporate decisions to operate outside Quebec in the hope of avoiding those more stringent legal requirements.

So why find that Canada is adequate now? Why rush to judgment while Bill C-27, including the reform of PIPEDA in the form of the CPPA, is still going through Parliament, and being reviewed by the House of Commons Industry Committee? Why run the risk that this decision will now introduce complacency, or at worst, encourage business interests to lobby to weaken Bill C-27 further with the argument that the status quo is just fine? And why undermine the arguments of those, like myself, who have been arguing that current Canadian privacy protection law is not adequate, and desperately needs improvement. We have been waiting for five years; would another few months really be problematic?

In the final analysis, Canada needs a stronger and modernized privacy protection framework regardless of the demands of our European partners. Effective privacy protection law and implementation need to be rooted in the institutions and the culture of the jurisdiction in question. They cannot be imposed externally.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Colin J. Bennett is a professor in the Department of Political Science at the University of Victoria.