Privacy & Cybersecurity Law Blog

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

The European Commission declared the Canadian Federal Personal Information Protection and Electronic Documents Act (the “PIPEDA”) “adequate” in 2001, but it has not yet adopted a decision on the adequacy of the provincial Québec Privacy Act (which was recognized by the Canadian Government as being substantially similar to the PIPEDA). In 2011, the European Commission requested that the Working Party assess the adequacy of the Québec Privacy Act. In the Opinion, the Working Party recommends that the European Commission not adopt such an adequacy decision until certain improvements are made to the Québec Privacy Act. In particular, the Working Party considers that:

• the territorial scope of application of the Québec Privacy Act in relation to the PIPEDA should be clarified, as the Canadian Privacy Commissioner and the Québec Data Protection Authority (the Commission d’Accès à l’Information) seem to maintain different positions on this issue;
• the transparency requirement under the Québec Privacy Act should be strengthened by imposing an obligation to inform data subjects of the identity and contact details of the data controller (the “person carrying an enterprise”);
• the security requirement under the Québec Privacy Act should be strengthened by defining the notion of “sensitive information” (because the level of security required under the Québec Privacy Act depends on the sensitivity of the information to be protected), and appropriate safeguards should be put in place when processing sensitive information, such as requiring the data subject’s explicit consent; and
• onward transfers should require the use of contractual or other binding provisions to ensure a comparable level of data protection.