In the June 27, 2017, issue of The Privacy Advisor, Ryan Chiavetta, CIPP/US, wrote an excellent and highly relevant article entitled, "Could Canada lose its adequacy standing?" The question is, in my view, so pressing that it needs reiterating.
I would like to support Chiavetta’s reporting with additional information from my conversations with European regulators and with Canadian government officials to highlight the risk to Canada's adequacy on two fronts: the increased rigour of the adequacy process under the EU General Data Protection Regulation and the apparent complacency of the government of Canada in this regard.
From my conversations on this matter with my former colleagues in European data protection regulations, as a former Assistant and Interim Privacy Commissioner of Canada, I have drawn these conclusions:
- Adequacy decisions taken under Directive 95/46/EC on the protection of personal data (the Directive) cannot be seen as precedents;
- the privacy image of Canada has been tainted by the Snowden revelations which brought attention to its close operational ties with the U.S. and its participation in the Five Eyes;
- and the issue of surveillance has much increased in importance in Europe with those revelations, as well as with the decision of the Court of Justice of the European Union in Schrems on October 6, 2015.
Comments from European regulators and a comparison of the text of the Directive with that of the GDPR in relation to adequacy show the break in approach. The Directive, at Article 25.2, provides succinct guidance to assess adequacy of a non-EU state as taking into account “the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.” Article 45 2 of the GDPR stands in contrast with a level of specificity on adequacy assessment that suggests Europe has learned its lesson from the inherent laxity of the former legal regime. Assessment of adequacy shall now include:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defense, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organization is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the member states; and
(c) the international commitments the third country or international organization concerned has entered into, or other obligations arising from legally binding conventions or instruments, as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
To the tightening of the criteria, Article 45.3 adds “a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country."
So this is what we know about the future of Canada’s adequacy: On May 25, 2018, the countdown will start for the review of Canada’s adequacy within four years, taking to us to, at the latest, 2022. What we can speculate on is how we will stack up. Consider this: Canada respects the rule of law, human rights and fundamental freedoms. Bill C-59, the National Security Act, however, will be scrutinized particularly in relation to the access of public authorities to personal data. Bill C-59 is an undeniable improvement over the current Anti-Terrorism Act, and in that sense, will help Canada’s adequacy assessment, but it remains a major test.
Canada will also be judged for its data protection rules that do not include main elements of the GDPR, such as the right to data portability, the right to object, the rules for the onward transfer of personal data to another third country, or the right to erasure as created under the GDPR. Where Canada is strong is in the robustness of judicial remedies and an effective data supervisory authority. Yet, it remains to be seen how Europe will assess the Office of Privacy Commissioner’s lack of enforcement powers against the test of “effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.”
So Canada could very well lose its adequacy status and for those who believe the matter was put to rest in the Comprehensive Economic and Trade Agreement between Canada and Europe, I am afraid I have disappointing news.
So Canada could very well lose its adequacy status and for those who believe the matter was put to rest in the Comprehensive Economic and Trade Agreement between Canada and Europe, I am afraid I have disappointing news.
Under both legislative and treaty interpretation rules, no exception or amendment to the GDPR can be created without an express provision to that effect in a subsequent treaty. CETA contains no such provision in relation to adequacy with the GDPR. Quite the opposite, Article 28.3.2 (ii) of CETA creates a specific exception that preserves the right for the EU and Canada to adopt and enforce measures necessary to “secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to […] the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” This is an assertion of the application of GDPR and GDPR comes with adequacy rules for data transfer.
Advising both Canadian and American companies on privacy, I see the competitive advantage of personal data transfer through adequacy rather than through Privacy Shield, model clauses or BCRs. I would never want to see Canada lose that advantage both as a differentiator in North America and as the gold standard for data protection.
CETA may be seen as a positive argument in relation to the criteria under GDPR regarding the assessment of adequacy in light of “international commitments the third country concerned has entered into,” but it is by no means a free pass.
The reality of risk on the European front brings me to the risk on the Canadian front: Inquiries to Canadian officials on how Canada is preparing to buttress adequacy under GDPR leads to answers that may be most kindly described as “relaxed.” Apparently, an interdepartmental group of policy analysts is looking at it but there is not much to say in that regard. Its efforts are apparently drowned by the focus on innovation, certainly laudable, but not addressing a crucial economic advantage for Canada. And yet, legislative amendments may be needed within five years and the legislative process is a slow and arduous one.
Which brings me to my conclusion: Advising both Canadian and American companies on privacy, I see the competitive advantage of personal data transfer through adequacy rather than through Privacy Shield, model clauses or BCRs. I would never want to see Canada lose that advantage both as a differentiator in North America and as the gold standard for data protection. We need to get ready.
photo credit: Ian Muttoo Happy Canada Day! via photopin (license)