Canada’s House of Commons Standing Committee on Access to Information, Privacy and Ethics is currently reviewing whether to make amendments to the Personal Information Protection and Electronic Documents Act. The committee began hearing from witnesses on Feb. 14.
Among the witnesses who have appeared already, are: Daniel Therrien, the current privacy commissioner of Canada; former federal commissioners Jennifer Stoddart and Chantal Bernier; provincial commissioners Jill Clayton (commissioner of Alberta), Drew McArthur (acting commissioner of British Columbia) and Michael McEvoy (deputy commissioner of British Columbia); Gary Dickson (former commissioner of Saskatchewan); and Cynthia Chassigneaux (administrative judge, Commission d’accès à l’information du Québec). The committee has also heard from a broad range of academics and lawyers.
Emerging themes
Although the committee has not finished hearing from witnesses, several themes are already emerging through the witness presentations. First, the there is broad skepticism as to whether PIPEDA would meet the test of “essential equivalence” under the General Data Protection Regulation; however, there is a debate as to whether Canada should be concerned about any loss of its “adequacy” designation.
Second, there is considerable debate about whether Canada already has a right to erasure and, if not, whether Parliament could enact a right to be forgotten that would survive constitutional challenge.
Third, there have been questions as to whether Canada needs legislation like the U.S. Children’s Online Privacy Protection Act or whether there is a need to strengthen PIPEDA to protect children.
Fourth, the majority of witnesses appear to be strongly in favor of increasing the powers of the Office of the Privacy Commissioner of Canada to include order-making powers and perhaps even administrative monetary penalties.
Lastly, there has been a chorus of concern about the efficacy of consent and how to address deficiencies in how organizations seek consent.
As the committee hearings continue over the next few weeks, we will examine the debate on other issues discussed. Here, we look into the debate about whether Canada should be concerned about the risk of losing its adequacy designation.
Will Canada remain “adequate”?
PIPEDA was enacted, in part, to address the European Union's Data Protection Directive’s restrictions regarding the transfer of personal information to non-E.U. jurisdictions lacking adequate privacy safeguards. Following the enactment of PIPEDA, the European Commission declared that Canada provides an adequate level of protection for personal information transferred from the European Economic Community to recipients governed by PIPEDA.
However, there appears to be broad consensus among the witnesses before the Standing Committee that Canada’s continuing “adequacy” is in jeopardy. In the preamble to the GDPR, the European Commission has clarified that the test for adequacy is one of essential equivalency. Witnesses have cited several gaps between PIPEDA and the GDPR that may affect the European Commission’s assessment of whether PIPEDA is essentially equivalent to the GDPR. For example: PIPEDA does not give the OPC any order-making powers; PIPEDA contains no administrative monetary penalties; and finally, there is no explicit right given to individuals to have their data erased or to receive a copy of it in a form that allows for portability.
A broader assessment of Canada’s legal environment may also affect the European Commission’s approach to Canada. The European Commission has stated that an adequacy assessment should take into account “how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law” (Preamble, s. 104).
Canada’s record on surveillance may cause concerns for the European Commission. Indeed, during the hearings before the Standing Committee, Commissioner Therrien referred to the hotly contested Bill C-51, Security of Canada Information Sharing Act, as being a potential stumbling block. He told the committee that his recommendations that the test for sharing of information between governmental agencies address proportionality and necessity rather than relevance as being motivated, in part, by the “fact that in a few year our laws will be assessed against European laws, and European authorities will give consideration to necessity and proportionality as important factors.”
Adequacy, but not at all costs
The witnesses before the Standing Committee have been divided on whether the Parliament should be concerned about Canada’s adequacy designation. Chantal Bernier emerged as a strong champion for amending PIPEDA with a view to maintaining Canada’s adequacy designation.[1] Now in private practice, the former assistant and interim commissioner argued that the adequacy designation was of “crucial competitive advantage.” Although not as strongly, Alberta Commissioner Clayton also argued that the committee should consider the impact of the GDPR given that “Canadian and Alberta businesses are participants” in a global economy. Commissioner Clayton stated that Parliament should ensure that when contemplating amendments “they don’t weaken the legislation and that they are not out of step with global and national considerations.”
However, many witnesses warned against being pre-occupied with the GDPR and Canada’s adequacy designation. Prof. Bennett stated that Canada’s adequacy designation was an important “symbolic message that Canada was a safe jurisdiction within which personal data could be processed.” However, Bennett went on to state:
[…] I think we should be reluctant to revise PIPEDA just because the Europeans want us to. In any case, there is unhelpful rhetoric about this regulation being kind of the gold standard for privacy protection around the world. It is a mix of different provisions, some of which have been imported from countries like Canada. We should modernize PIPEDA because it needs modernization, not because it will satisfy a vague and shifting set of standards imposed from Brussels. We should take note of what the Europeans have done and draw lessons. […]
Suzanne Morin, a leading privacy lawyer and vice-chair of the pPrivacy and Access to Information Section of the Canadian Bar Association, noted that Canada’s adequacy designation would be assessed in light of all of its privacy laws — public sector and private sector. It was premature, in the CBA’s view to make amendments to PIPEDA in reaction to the GDPR. The CBA’s positions appears to be that, even if Canada lost its “adequacy” designation, there could be other mechanisms through which companies could transfer information to Canada (including, for example, binding corporate rules, model clauses, or other provisions). Ms. Morin stated:
The position the Canadian Bar Association is trying to present to committee members here is that we should not change our laws simply because the EU is doing so. Will it have an impact on us? Inevitably, I think it will. The fixation on adequacy, as I mentioned before, was wonderful, it was convenient, and it was very good for Canadian business, because it simplified the transfer of information. It's not the only way to do it. There are other mechanisms and the rest of the world is using those other mechanisms.
These views were echoed by other witnesses who argued that on important issues, such as the right to be forgotten, Canada should create its own solution consistent with its own legal system and values.
Assessing the loss of adequacy
Would the loss of Canada’s adequacy designation really have a significant impact on EU to Canada data transfers? Canada’s adequacy designation has always been partial and, even after almost fifteen years, the limitations inherent in Canada’s adequacy designation remain unclear. First, the adequacy designation has never applied to employee personal information for the majority of private sector organizations. This is because PIPEDA only applies to employee personal information of federal works, undertakings and businesses (e.g. banks, airlines, international shipping companies and other businesses whose employee relations are governed by federal law). The majority of private sector organizations are governed by provincial employment laws. In addition, PIPEDA also does not apply to non-profit and charitable organizations, except in limited situations of buying and selling member lists.
Second, the European Commission seems to suggest in its FAQ that “controller to processor” transfers from the EU to Canada may not be subject to the adequacy ruling, although this has never been tested. PIPEDA has limited application to processors of data. The organization that is responsible for ensuring that the personal information is only used and disclosed for the purposes for which it was collected is the organization who collected the information with the consent of the individual. The OPC considers the transfer to the processor to be a “use” of the data and not a disclosure. The transferring organization remains fully responsible for the processor’s activities. Given the limited application of PIPEDA to processors, there is considerable uncertainty as to how PIPEDA applies to a transfer from a EU controller to a Canadian processor.
Thirdly, the provinces of Alberta, British Columbia and Quebec each have their own private sector privacy legislation. The legislation of those provinces has been declared by the federal government to be “substantially similar,” which means that the collection, use and disclosure of personal information within those provinces is governed by the provincial law and not PIPEDA (unless they are federal works, undertakings or businesses). When Quebec sought an adequacy designation from the European Commission, it was shot down. This has resulted in uncertainty as to whether a transfer from the European Economic Community to Alberta, British Columbia or Quebec for use solely within those provinces would be covered by the PIPEDA adequacy ruling. There are reasonable arguments that the adequacy ruling would apply because PIPEDA also applies to international transfers of personal information. However, there are also good contrary arguments, particularly where the Canadian organization is merely a processor.
If there has been an economic advantage for Canadian organizations as a result of Canada’s adequacy ruling, it has been largely undocumented by any systematic study. The fact that the United States has had a checkered past with information transfers does not appear to have blocked or even slowed down trade between the EU and the United States. The United States remains the EU’s largest trading partner. There does not appear to be any empirical evidence establishing that organizations have chosen Canada as a location to transfer data because of its adequacy status.
Canada’s recent negotiation of the Canada-European Union Comprehensive Economic and Trade Agreement has been cited for the adequacy imperative. However, CETA is not contingent upon Canada maintaining adequacy. Canada’s obligations in CETA with respect to personal information and electronic commerce is adopt or maintain laws, regulations or administrative measures for the protection of personal information of users engaged in electronic commerce and, when doing so, to take into consideration international standards of data protection of relevant international organizations of which both Canada and the EU countries are members. Even leaving this aside, the United Kingdom is Canada’s largest European trading partner and the U.K. has just triggered its exit from the EU. Canada has already signaled that it would like to pursue free trade with the U.K.
If the business case for maintaining adequacy is uncertain, the political advantage is clear. The GDPR has a number of features that the OPC and many privacy advocates would like to see for PIPEDA. In particular, the OPC and many privacy advocates would like to see order-making powers for the OPC and administrative monetary penalties for non-compliance, as well as a stronger right to erasures of data. Maintaining adequacy creates a sense of urgency to for amending PIPEDA to achieve some of these goals, even if, ultimately, Canada’s adequacy status might remain in jeopardy because of weaker public sector privacy protections.
[1] Ms. Bernier is counsel at Dentons Canada LLP, where the author of this article is a partner.