Best Practices for Québec Companies Receiving European Data

May 30th, 2018

By Danielle Miller Olofsson, Chief, Knowledge Management and Market Strategies.

The European General Data Protection Regulation (GDPR) that took effect on May 25 places tight controls on the transfer of data from the European Union (EU). For example, if a data subject (individual whom the data concerns) has not specifically and explicitly consented to the transfer of their data to another jurisdiction, their data cannot be transferred to that jurisdiction unless the jurisdiction has been declared adequate by the European Commission (the Commission) on the basis that it offers protection comparable to the EU. In the absence of such a declaration, an organization must put in place appropriate safeguards which, depending on the nature of the organization, could include binding corporate rules (BCRs), standard data protection clauses, an approved code of conduct or an approved certification mechanism.

A grey zone to be aware of

Québec companies receiving data on European nationals, either directly or as subcontractors to a European organization, however, should be aware of the following conundrum:

As things stand in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) that applies to federally regulated companies, such as banks and post offices, as well as to companies in provinces that do not have comparable privacy legislation, has been declared adequate. The private sector privacy legislation in the three provinces that have passed comparable legislation, Québec, Alberta, and British Columbia, however, has not received the Commission’s stamp of adequacy - probably as a result of oversight. Since companies in these provinces are not allowed to choose the privacy law that governs them but are automatically subject to the provincial law, they are caught in a grey zone as far as adequacy recognition is concerned.

The simplest way for Québec companies to avoid unpleasant EU sanctions such as the blocking of data coming from Europe, would be to either adopt BCRs - more suitable for organizations with several members in the group - or include standard data protection clauses in their transfer agreements. These clauses are a series of provisions that have either been adopted or approved by the Commission and that can be easily included in most contracts involving data transfers. Organizations may also wish to include their own clauses but they will have to prove that they offer comparable safeguards. Alternatively organizations can opt for implementing an approved code of conduct or certification (but these are more recent solutions and the details require some clarifying).

So although the absence of an adequacy certification by the Commission is probably the result of an oversight rather than a concern for the information safeguards provided by the provincial private sector privacy legislation, companies operating in provinces that have enacted such legislation, Québec for example, would be well to include standard data protection clauses in data transfer agreements with European organizations.

For further information we invite you to contact the Privacy, Data Protection and Cyber-Crypto Security team where our lawyers will be happy to assist you.