Brussels, 14th January 2002
Data protection: Commission recognises adequacy of Canadian regime
The European Commission has recognised that the Canadian Personal Information Protection and Electronic Documents Act provides adequate protection for certain personal data transferred from the EU to Canada. This will allow certain personal data to flow freely from the EU to recipients in Canada subject to the Canadian Act, without additional safeguards being needed to meet the requirements of the EU Data Protection Directive. The decision fulfils an undertaking made in 1999 by Canada and the EU in their "Joint Statement on Electronic Commerce in the Global Information Society". Both parties promised to work together to build confidence in cross-border electronic commerce and to ensure the free flow of personal data on the basis of high data protection standards.
Internal Market Commissioner Frits Bolkestein, who is responsible for data protection said " This decision will simplify procedures for the transfer of personal data between Europe and Canada and ensure that EU businesses know where they stand legally, whilst making certain that such data enjoys adequate protection."
The Commission's decision was taken on the basis that the Canadian Personal Information Protection and Electronic Documents Act meets the "adequacy" requirement set out in the Community Data Protection Directive (95/46/EC). This Directive requires Member States to allow personal data to be transferred only to those third countries that provide an "adequate level of protection" of such data. Article 25(6) of the Directive empowers the Commission to determine that the legal protection afforded in a particular third country fulfils the necessary requirements. Similar decisions have been adopted concerning the data protection regimes in Switzerland and Hungary and concerning the "safe harbor" arrangement in the United States (see IP/00/865).
The Canadian Act entered into force on 1 January 2001. It applies to personal information about clients and employees that federally regulated organisations (such as airlines, railways, shipping, inter-provincial trucking, banks, television, radio, telephone and telegraph) collect, use and disclose in the course of a commercial activity. The law also applies to all organisations that disclose personal information for consideration outside a province or outside Canada.
From 1 January 2002, the Act also applies to health information held by these organisations. As of 1 January 2004, the Act will cover every organisation that collects, uses or discloses personal information in the course of a commercial activity, whether or not the organisation is federally regulated.
The Canadian Act and the Commission Decision do not cover personal data held by public bodies, both at federal and provincial level, or personal data held by private organisations and used for non-commercial purposes, such as data handled by charities or collected in the context of an employment relationship. For these transfers to recipients in Canada, operators in the EU will have to put in place additional safeguards, such as the standard contractual clauses adopted by the Commission in June 2001(see IP/01/851), before exporting the data.
More details concerning the data protection Directive and its application are available at http://ec.europa.eu/privacy.
For the full text of the Joint Statement on 'Electronic Commerce in the Global Information Society' adopted at the EU-Canada Summit in Ottawa on 16 December 1999, see: