2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539)
Official Journal L 002 , 04/01/2002 P. 0013 - 0016
Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539) (2002/2/EC) THE COMMISSION OF THE EUROPEAN COMMUNITIES, Having regard to the Treaty establishing the European Community, Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof, Whereas: (1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer. (2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary. (3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and in respect of given conditions. The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has issued guidance on the making of such assessments(2). (4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments. (5) The Canadian Personal Information Protection and Electronic Documents Act ("the Canadian Act") of 13 April 2000(3) applies to private sector organisations that collect, use or disclose personal information in the course of commercial activities. It enters into force in three stages: As from 1 January 2001, the Canadian Act applies to the personal information, other than personal health information, that an organisation, which is a federal work, undertaking or business, collects, uses or discloses in the course of commercial activity. These organisations are found in sectors such as airlines, banking, broadcasting, inter-provincial transportation and telecommunication. The Canadian Act also applies to all organisations that disclose personal information for consideration outside a province or outside Canada and to employee data relating to an employee in a federal work, undertaking or business. From 1 January 2002, the Canadian Act will apply to personal health information for the organisations and activities already covered in the first stage. As from 1 January 2004, the Canadian Act will extend to every organisation that collects, uses or discloses personal information in the course of a commercial activity, whether or not the organisation is a federally regulated business. The Canadian Act does not apply to organisations to which the Federal Privacy Act applies or that are regulated by the public sector at a provincial level, nor to non-profit organisations and charitable activities unless they are of a commercial nature. Similarly it does not cover employment data used for non-commercial purposes other than that relating to employees in the federally regulated private sector. The Canadian Federal Privacy Commissioner may provide further information on such cases. (6) To respect the right of the provinces to legislate in their fields of jurisdiction, the Act provides that upon the passage of substantially similar provincial laws, an exemption may be granted to organisations or activities that will then be covered by the provincial privacy legislation. Section 26(2) of the Personal Information Protection and Electronic Documents Act gives the federal cabinet the power, "if satisfied that legislation of a province that is substantially similar to this Part applies to an organisation, a class of organisations, an activity or a class of activities, to exempt the organisation, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province". The Governor in Council (Canadian federal cabinet) makes exemptions for substantially similar legislation by way of Order-in-Council. (7) Where and whenever a province adopts legislation that is substantially similar, the organisations, classes of organisations or activities covered will be exempted from the application of the federal law for intra-provincial transactions; the federal law will continue to apply to all interprovincial and international collections, uses and disclosures of personal information as well as in all instances where provinces have not created substantially similar legislation in whole or in part. (8) Canada formally adhered to the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on June 29, 1984. Canada was among the countries that supported the United Nations Guidelines Concerning Computerized Personal Data Files which were adopted by the General Assembly on 14 December 1990. (9) The Canadian Act covers all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests and to recognise certain information which exists in the public domain. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authorities, such as the Federal Privacy Commissioner invested with powers of investigation and intervention. Furthermore, the provisions of Canadian law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons concerned. (10) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection. (11) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion on the level of protection provided by the Canadian Act, which have been taken into account in the preparation of this Decision(4). (12) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC, HAS ADOPTED THIS DECISION: Article 1 For the purposes of Article 25(2) of Directive 95/46/EC, Canada is considered as providing an adequate level of protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act ("the Canadian Act"). Article 2 This Decision concerns only the adequacy of protection provided in Canada by the Canadian Act with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States. Article 3 1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Canada whose activities fall under the scope of the Canadian Act in order to protect individuals with regard to the processing of their personal data in cases where: (a) a competent Canadian authority has determined that the recipient is in breach of the applicable standards of protection; or (b) there is a substantial likelihood that the standards of protection are being infringed; there are reasonable grounds for believing that the competent Canadian authority is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in Canada with notice and an opportunity to respond. The suspension shall cease as soon as the standards of protection are assured and the competent authority concerned in the Community is notified thereof. 2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1. 3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in Canada fails to secure such compliance. 4. If the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the standards of protection in Canada is not effectively fulfilling its role, the Commission shall inform the competent Canadian authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope. Article 4 1. This Decision may be amended at any time in the light of experience with its functioning or of changes in Canadian legislation, including measures recognising that a Canadian province has substantially similar legislation. The Commission shall evaluate the functioning of this Decision on the basis of available information, three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection in Canada is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way. 2. The Commission shall, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC. Article 5 Member States shall take all the measures necessary to comply with this Decision at the latest at the end of a period of 90 days from the date of its notification to the Member States. Article 6 This Decision is addressed to the Member States. Done at Brussels, 20 December 2001. For the Commission Frederik Bolkestein Member of the Commission (1) OJ L 281, 23.11.1995, p. 31. (2) WP 12: Transfers of personal data to third countries: applying Articles 25 and 26 of the EU data protection directive, adopted by the Working Party on 24 July 1998, available at http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wpdocs_98.htm (3) Electronically published (paper and web) versions of the Act are available at http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6_cover-E.html and http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6_cover-F.html. Printed versions are available at Public Works and Government Services Canada - Publishing, Ottawa, Canada K1A 0S9. (4) Opinion 2/2001 on the adequacy of the Canadian Personal Information and Electronic Documents Act - WP 39 of 26 January 2001 available at http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm