In a Report issued two weeks ago,[1] the European Commission advised that its 2001 decision granting the federal privacy law, PIPEDA,[2] “adequacy” status under relevant EU privacy law is continued and confirmed. The 2001 decision determined that PIPEDA provided an adequate level of protection for personal data transferred from the EU to Canada, as required by the EU’s then in-force “Data Protection Directive”.[3] The EU’s current law, the General Data Protection Regulation (GDPR), requires the Commission to periodically review these decisions, every four years, in order to determine whether the countries and territories that received an adequacy finding continue to provide an adequate level of protection for personal data.
The updated determination means that personal information collected in the EU may continue to be transferred to Canada, whether for processing by service providers or for disclosure to Canadian entities for their own purposes, as it has since the 2001 ruling, without additional protective measures. By contrast, the US, having no nation-wide privacy law, does not benefit from adequacy status. Therefore, organizations looking to transfer data between the EU and the US must resort to special measures such as standard contractual clauses or certification under the recently adopted EU-US Data Privacy Framework.[4]
In the current Canadian privacy context, note should be taken of the European Commission’s ruling for two main reasons.
The benefits of adequacy
Firstly, as noted, it means that…
My appearance at the INDU Committee regarding Bill C-27
On November 9, I appeared before the parliamentary Standing Committee on Industry and Tech…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
