Executive Summaries Jun 4, 2018

Best Practices for Québec Companies Receiving European Data

As far as adequacy recognition by the European Commission is concerned, Québec companies are caught in a grey zone when transferring their data to another jurisdiction – probably as a result of oversight. Appropriate safeguards must be put in place to avoid unpleasant EU sanctions.

Danielle Miller Olofsson has authored this article.

The European General Data Protection Regulation (GDPR) that took effect on May 25 places tight controls on the transfer of data from the European Union (EU). For example, if a data subject (individual whom the data concerns) has not specifically and explicitly consented to the transfer of their data to another jurisdiction, their data cannot be transferred to that jurisdiction unless the jurisdiction has been declared adequate by the European Commission (the Commission) on the basis that it offers protection comparable to the EU. In the absence of such a declaration, an organization must put in place appropriate safeguards which, depending on the nature of the organization, could include binding corporate rules (BCRs), standard data protection clauses, an approved code of conduct or an approved certification mechanism.

A GREY ZONE TO BE AWARE OF

Québec companies receiving data on European nationals, either directly or as subcontractors to a European organization, however, should be aware of the following conundrum:

As things stand in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) that applies to federally regulated companies, such as banks and post offices, as well as to companies in provinces that do not have comparable privacy legislation, has been declared adequate. The private sector privacy legislation in the three provinces that have passed comparable legislation, Québec, Alberta, and British Columbia, however, has not received the Commission’s stamp of adequacy - probably as a result of oversight. Since companies in these provinces are not allowed to choose the privacy law that governs them but are automatically subject to the provincial law, they are caught in a grey zone as far as adequacy recognition is concerned.

The simplest way for Québec companies to avoid unpleasant EU sanctions such as the blocking of data coming from Europe, would be to either adopt BCRs - more suitable for organizations with several members in the group - or include standard data protection clauses in their transfer agreements. These clauses are a series of provisions that have either been adopted or approved by the Commission and that can be easily included in most contracts involving data transfers. Organizations may also wish to include their own clauses but they will have to prove that they offer comparable safeguards. Alternatively organizations can opt for implementing an approved code of conduct or certification (but these are more recent solutions and the details require some clarifying).

So although the absence of an adequacy certification by the Commission is probably the result of an oversight rather than a concern for the information safeguards provided by the provincial private sector privacy legislation, companies operating in provinces that have enacted such legislation, Québec for example, would be well to include standard data protection clauses in data transfer agreements with European organizations.

For further information we invite you to contact the Privacy, Data Protection and Cyber-Crypto Security team where our lawyers will be happy to assist you.

You would also like

Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

Entrepreneurship forum

Entrepreneurship Forum: Vision 2025

Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Right to Data Portability: Is your Organization Ready?

Tech Forum 360

Tech 360 Forum: Growth and Inflection Points

Prospera: Québec’s Economic Barometer

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year

paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

new-partners-2024

BCF Has Appointed Three New Partners

Who’s Who Legal : 5 BCF Professionals Stand Out

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year

Demystifying Privacy Impact Assessments (PIAs)

The Data Processing Agreement: An Essential Resource to Implement

camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management

forum-privacy-en

Strategic Forum on Enterprise Data Protection

Chambers Canada Ranking: Five of our Lawyers Recognized

Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm

Prospera – Quebec Economic Barometer

Julien Tricart, Member of the Meritas Sports Law Group

Pride Month: Let’s Create an Inclusive Future

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year

New Privacy Requirements: Is Your Business Compliant?

Every Woman Counts

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties

BCF's More Inclusive Approach: Improved Parental Leave

Shaun E. Finn Appointed to the Superior Court of Québec

How to Ensure a Business Succession?

Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?

Strategic Forum on Market Consolidation and Business Succession

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities

What Are the Best Practices for Managing Privacy Incidents?

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy

Jocelyn Poirier, BCF’s Chief Privacy Officer

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch

Seven New Lawyers Join BCF

Adoption of Bill 96: Be Ready

Pride Month: The Value of Diversity

BCF, the 3rd Largest Law Firm in Québec

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law

Seven New Lawyers Join BCF

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices

A First in Canada: Privacy Class Action Dismissed on the Merits

escalier

BCF Welcomes Seven New Lawyers

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?

Investigation on Tim Hortons’ Application

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?

COVID-19: Solutions to Address this Situation

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications

Tracking the COVID-19 Pandemic with Cellphones

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy

BCF once again ranks as one of Montreal's Top Employers

BCF Names 16 New Partners for Its 25th Anniversary

Joint Controllership or the Risks of using Website Plugins

Are You a Leader or a Follower?Results of the Innovation Survey

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law

Strategic Forum on Innovation

Different Legislative Approaches to 5G

Innovating to Survive: Are You a Leader or a Follower?

Is Your Company Implementing a New Technology System? Remember to Protect Your Data

5G Technology Is Coming: Legal Questions Abound

Legal Issues Surrounding the Industrial Revolution 4.0

Where Does Québec Stand in Terms of Privacy Class Actions?

De-fogging the Cloud Act

fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent

Anonymization? Think Again

The Deep Web and Dark Web Demystified for Businesses

The GDPR is Coming: How to Get Ready

Protection of Personal Data: New Measures Put in Place by the European Union

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership