Businesses and private sector organizations in Canada are becoming increasingly aware of the legal obligations associated with the handling of personal information (i.e., any information about an identifiable individual). Many are taking prudent steps to comply with privacy obligations and to limit their potential liability, including seeking legal advice and implementing privacy policies. However, these steps are often taken in the context of applicable Albertan and Canadian privacy statutes, leaving a “blind spot” with respect to potentially applicable European Union (EU) privacy law.

The EU has implemented a comprehensive privacy regulation called the General Data Protection Regulation (GDPR), the intent of which is to protect the privacy rights of citizens within EU member countries. Notably, the GDPR also addresses the transfer of personal information outside the EU, including for example, to businesses within Canada. EU-based organizations must comply with the GDPR, and thus, if a Canadian business intends to receive personal information from such an organization, the Canadian business may also be required to comply with the GDPR. There are several other circumstances in which a Canadian business would be subject to the GDPR, including where goods or services are offered to EU persons.

Compliance can be onerous, and at first glance, it would require the Canadian business to observe both EU and Canadian privacy laws. However, the European Commission has noted this potential for overlap, and as a solution, it may from time-to-time issue what is known as an “adequacy decision” for a particular country or jurisdiction, which is essentially a recognition that the privacy laws in that jurisdiction provide sufficient protection for EU data subjects. The effect of an adequacy decision is that personal data can flow freely from the EU to another country without further obstacles (essentially, the transfer of personal data is treated as an intra-EU transfer).

An adequacy decision can have caveats. For example, the European Commission recently (as of July 10, 2023) adopted an adequacy decision for the USA, with the caveat that the decision only benefits those organizations that participate in the EU-US Data Privacy Framework (DPF). The DPF is a set of rules that an American organization can voluntarily adopt, and which creates legally enforceable privacy obligations for the adopting organization. If an American organization does not adopt the DPF, it will not benefit from the adequacy decision.

Likewise, Canada’s adequacy decision has a notable caveat. Only organizations that operate under the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), Canada’s federal privacy legislation for the private sector, are entitled to the benefit of the adequacy decision. Each of Alberta, British Columbia and Quebec have implemented “substantially similar” private sector privacy legislation that operates in lieu of PIPEDA for intra-provincial collection, use and disclosure of personal information by private sector organizations within such provinces. Organizations subject to these “substantially similar” provincial regimes may or may not benefit from Canada’s adequacy decision in connection with processing of the personal information of EU data subjects.

Takeaways

We understand that compliance with domestic privacy legislation can be difficult for Canadian businesses, much less compliance with a foreign regulation such as the GDPR. If your business or organization processes any personal information of EU data subjects, and you are unsure whether the GDPR applies (or whether you can rely upon Canada’s adequacy decision) consider seeking legal counsel to ensure that you maintain compliance with all applicable laws, whether domestic or foreign.

The lawyers within Field Law’s privacy law practice group have the knowledge and experience to assist with all aspects of privacy law compliance, from general advice to drafting of a suitable privacy or cyber security policy for your business or organization. Ensure that you take steps to protect your business or organization before processing any personal information. Contact Jarett Schaumberger in Edmonton or Kelly Nicholson in Calgary for guidance.