The Dirty Little Secret of Euro-Canadian Data Flows
Well, it’s not actually a secret but it is something that not too many people have focused on. It’s the fact that the withdrawal of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) from provincial jurisdictions with substantially similar legislation may legally complicate the ability of Canadian organizations in those jurisdictions to receive data from EU countries.
Those who follow privacy issues will know that the European Union’s Directive 95/46/EC requires Member States to permit transfers of personal data to countries outside the European Union only where there is adequate protection for such data, unless one of a limited number of specific exemptions applies. To implement this Directive, EU Member States have enacted their own data protection laws – the United Kingdom’s Data Protection Act 1998 is an example. PIPEDA was enacted in part to respond to the Directive and ensure there would be no issues with respect to data flows from EU Member States to Canada.
The good news is that in December 2001 the European Commission issued a decision that Canada’s enactment of PIPEDA, met the requirements of the Directive. Canada, in effect, became “white-listed” and transfers of data were permitted. It’s important to note though that the decision is limited and transfers are expressly permitted “to recipients subject to the Personal Information Protection and Electronic Documents Act”.
Now things get interesting when you consider the fact that PIPEDA “withdraws” from those jurisdictions in Canada that enact substantially similar legislation. The provinces of British Columbia, Alberta and Quebec are considered by the federal government to have done so with respect to entities governed by the private sector data protection legislation in each of those provinces. PIPEDA has also “withdrawn” from Ontario with respect to entities subject to that province’s Personal Health Information Protection Act.
The unsettling news is that the EU hasn’t addressed the fact that these jurisdictions/sectors are substantially similar to the approved PIPEDA. In a 2006 European Commission report, “The application of Commission Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documentation Act” , it was noted:
“As a result of this process, the laws of Québec, Alberta and British Columbia have been found similar to the federal Canadian Act through an Order-in-Council. This is of relevance in light of the Working Party’s request to the Commission to examine this issue and assess whether provincial legislation had to be recognised individually as providing an adequate level of protection, or whether a determination that provincial legislation is substantially similar to the federal Canadian Act is sufficient to achieve the same purpose.” (Emphasis added)
PIPEDA applies to cross-border data flows but that’s the Canadian law; data transfers originating in Europe are subject to EU law. To date, it doesn’t appear that the Commission has addressed the issue and it remains an open question as to whether EU data transfers to provinces that have substantially similar legislation may occur without the other measures contemplated by the Directive being implemented (e.g. obtaining an express consent, Binding Corporate Rules, a Data Sharing Agreement using the EU Model Clauses)
Is this a practical problem? Probably not. There is no indication that the EU has had any problems or complaints about data transfers to the provinces concerned and one suspects that EU Data Protection Authorities have an enormous amount of goodwill towards, and trust in, their Canadian counterparts. Just don’t ask your lawyer for a definitive legal opinion on the subject.