The ‘adequacy’ test: Canada passes, but the exam is still on

Other countries’ laws do not need to be a “photocopy” of the GDPR to be adequate. Professor Emeritus Colin J. Bennett reports from Canada.

On January 15 of this year, the European Commission released a report(1) formally declaring that Canada, along with ten other jurisdictions, continues to offer an “adequate level of protection” for personal information transferred from the European Economic Area. Digital data can, therefore, continue to flow freely to Canada from the European Union, at least to the extent that the receiving organizations are covered by Canada’s 23-year-old data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada has enjoyed this status since 2001.

Adequacy assessments are now dictated by the requirements of the European Union’s General Data Protection Regulation (GDPR)(2), which came into force in May 2018. Companies in Canada might import data through other mechanisms, including standard contracts, binding corporate rules, certification schemes and codes of practice. But Canada being recognized as a safe harbour, which adequacy status confers, is by far the most preferred and efficient solution for businesses. Adequacy has proven to be a comprehensive, elegant solution that can apply to any business, including small and medium-sized enterprises, reducing the need for further contractual or other solutions, and the legal fees associated.

Continue Reading

International Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.