• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Adequacy of Canadian privacy law

By Occasional Contributors | 3 Minutes Read January 25, 2017

Adequacy of Canadian privacy law

On October 3, the European Commission presented draft decisions amending a number of existing adequacy decisions, including the decision applicable to Canada, as well as the decision on standard contractual clauses.

adequacy Potential amendments could mean Canadian businesses receiving personal information from Europe will have more exposure to the differences in the data protection laws and enforcement regimes in the EU member states.
European privacy law has been in flux in the wake of the Schrems decision, which struck down the EU–US Safe Harbour regime for transfers of personal information. (See previous coverage here, here, here, here, and here.)
While the direct impact of that decision was limited to Safe Harbour, the principles it set out were widely anticipated to have broader implications. Some clues have now emerged as to how these implications will play out.
On October 3, the European Commission presented draft decisions amending a number of existing “adequacy” decisions, including the decision applicable to Canada, as well as the decision on standard contractual clauses (or “SCCs”).
The amendments have not yet been publicly released. However, according to the summary of the meeting of the “Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (aka the “Article 31 Committee”):

…the purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s Schrems ruling. In Schrems, the Court invalidated Article 3 of the Safe Harbour adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.

From this description, it seems likely that the amendment will (at least) modify Article 3 of the Canadian adequacy decision, to make it clear that DPAs will have full and independent authority to review any transfers to Canada and apply any remedies available under their respective national laws.
The same is presumably true for the other affected decisions, including Article 4 of the SCCs decision.
If true, this will mean that Canadian businesses on the receiving end of transfers of personal information from Europe (and all businesses relying on the SCCs) will have more exposure to the differences in the data protection laws and enforcement regimes in the member states. This confirms what we predicted would be a likely consequence of the Schrems decision.
Some of these differences will be harmonized by the GDPR, when it comes into full effect on May 6, 2018. However, that will bring its own challenges, including new obligations that will be applied extraterritorially to businesses offering goods or services in the European market, backed by the potential for hefty monetary penalties that can reach up to the greater of €20 M or 4% of an organization’s global after–tax revenues.
However, there does not appear to be any suggestion that these amendments will modify the core determination that Canadian law provides adequate protection of personal information. So, at least in the short term, it will continue to be legal to transfer European personal information to Canada.
The Article 31 Committee has not yet taken any decision on the proposed amendments. A further meeting will be convened in “the coming weeks”, after the member states have an opportunity to review and consider the documents.
By: Keith Rose, McCarthy Tétrault LLP

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • New qualifying disbursement rules add directed donations anti-avoidance provisions complicate charity regulation - February 6, 2023
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Payroll, Privacy / adequacy, data protection, personal information, powers of national supervisory authorities, privacy law, Safe Harbour adequacy decision, Schrems decision

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy