Frequently Asked Questions on the Commission's adequacy finding on the Canadian Personal Information Protection and Electronic Documents Act
- Decision on the adequacy of the Canadian law. What does this mean?
- The PIPED Act are deemed to provide adequate protection. What is the scope of the Act and
how can recipients subject to the Act be identified in practice?
- To what sectors of activity does the Canadian Act not apply?
- What if the recipient does not fall under the jurisdiction of the PIPED Act?
- What if it cannot be easily determined if the Canadian organisation is subject to the Canadian Act?
- What if the transfer is simply for processing purposes?
- What about employee related data. Can it be transferred to Canada without additional safeguards being necessary?
- What are the powers of the Canadian Federal Privacy Commissioner under the PIPED Act?
- Does the Commission Decision also cover provincial legislation?
- Once the data is in Canada, what safeguards are put in place before personal data can be re-exported to another country?
The European Commission adopted a Decision on the adequacy of the Canadian law. What does this mean?
European Union (EU) law allows personal data to flow outside the EU only if there is an adequate level of protection in the country of destination or if a number of specific exceptions apply. On 20 December 2001, the European Commission recognised that the Canadian Personal Information Protection and Electronic Documents Act (PIPED Act) provides adequate protection for certain personal data transferred from the EU to Canada. This will allow EU operators to send certain personal data to recipients in Canada subject to the Canadian Act, without additional safeguards being needed to meet the requirements of the EU Data Protection Directive.
Article 1 of the Decision says that only recipients subject to the PIPED Act are deemed to provide adequate protection. What is the scope of the Act and how can recipients subject to the Act be identified in practice?
The Canadian Act applies to private sector organisations that collect, use or disclose personal information in the course of commercial activities. Initially the Act only applies to organisations that are regulated at a federal level (federal works, undertakings or businesses) such as airlines, banks, broadcasters, inter-provincial transportation companies and telecommunication networks and to the disclosure by organisations (whether they are federally regulated or not) of personal information for consideration outside a province or outside Canada. The Act also applies to all businesses in the Territories as they are deemed to be federal works. The information itself must be the subject of the transaction and the consideration is for the information.
As of 2004 it will apply to all sectors except in cases where provinces have passed privacy legislation that has been deemed to be substantially similar. If a province passes legislation that is deemed substantially similar, the provincial legislation will apply to the intraprovincial collection, use or disclosure of personal information.
The Canadian Act, does not apply to government organisations to which the Federal Privacy Act applies or that are subject to public sector privacy legislation at the provincial level. Similarly, it does not apply to non-profit and charitable organisations unless they engage in activities of a commercial nature such as the bartering and selling of donors lists.
If the recipient is not subject to the PIPED Act, then adequate safeguards in relation to the type of transfer that is envisaged must be put in place before the data can lawfully leave the European Union. One way to do this is to enter into a standard contract. One such set of contractual clauses has already been approved by the European Commission in June 2001 and is available for use, free of charge,at website . It allows Canadian importers voluntarily to undertake to abide by the standard in the Canadian Act even though the Act does not apply to them at this moment. This approach ensures that the same standard applies throughout Canada.
In borderline cases, it is recommended that organisations contact the Privacy Commissioner of Canada before the transfer takes place and ask for guidance on the application of the Personal Information Protection and Electronic Documents Act. This can be accomplished by writing to the following email address: firstname.lastname@example.org.
When the transfer is for processing purposes, the standard contractual clauses approved by the European Commission specifically for this type of transfer in December 2000 can be used (available at /privacy). In this case, the processor has to follow the instructions of the EU data controller and it is the law of the Member State where the exporter is established that applies.What about employee related data.
The Act applies only to the employment data of federally regulated private sector organisations. This means that if the transfer is, for example, to an airline, a bank, a broadcaster, an inter-provincial transportation company or a telecommunications network, employee data can be transferred without further safeguards being needed to comply with the export requirements of the EU directive. But if the recipient organisation is not a federal work, undertaking or business, then adequate safeguards must be put into place to protect the data.
The Commissioner has the power to receive and investigate complaints, to attempt dispute resolution and to make findings and recommendations. The Commissioner also has the authority to audit an organization's information practices when he has reasonable grounds to believe the organization is not fulfilling its obligations under the Act. In the course of conducting an investigation or an audit, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence.
After receiving the Commissioner's investigation report, the complainant can take most disputes to the Federal Court for final resolution. The Commissioner may also apply to the Court on his own or on a complainant's behalf. The Court has a range of remedies, from ordering an organisation to correct its practices or publish notices of its actions, to awarding damages.
The Commissioner may make public any information relating to the personal information practices of an organization if the Commissioner considers it in the public interest to do so.
The Commissioner also has a broad mandate to promote the purposes of the Act by conducting public education programs, undertaking research and encouraging organisations to develop privacy policies and practices.
At the moment, the Commission Decision does not cover provincial legislation, but it is foreseen that when the Canadian Government recognises a provincial law as being substantially similar to PIPED Act then the Commission decision will be adapted to reflect this.
Quebec, for example, has a comprehensive data protection law and it is possible that it will be recognised as being substantially similar to PIPED Act in the near future. This in turn will allow the Commission Adequacy Decision to reflect this.
Once the data is in Canada, what safeguards are put in place before personal data can be re-exported to another country?
Generally speaking, the PIPED Act requires the individual's consent before data can be disclosed to a third party. An organisation operating in Canada and subject to the PIPED Act continues to be responsible and accountable for the information in its care, regardless of the physical location of the information. For internal transfers within an organisation but outside Canada, the organisation must ensure that the same protections are in place in its foreign operation as in its Canadian one.
In cases where the information is disclosed outside Canada to a third party for processing, the Canadian organisation must have consent. If the information is being transferred for processing purposes, the organisation is required to ensure that the foreign organisation is bound by the same requirements that would apply were it operating in Canada. This can be accomplished by a contract or other legal agreement between the parties which stipulates that the foreign organisation must abide by the requirements of the Act. It can also include the stipulation that the foreign organisation be subject to an independent audit to verify its compliance.
Complaints for non-compliance can be filed with the Privacy Commissioner of Canada, regardless of the nationality or residence of the complainant. The Commissioner and the Federal Court will hold the Canadian organisation responsible and accountable for the treatment of any personal information it has disclosed to a third party for processing, regardless of its location.