Art. 29 Lists Reservations on Adequacy Of Quebec's Data Protection Legal Regime

June 20 — The European Commission should wait to consider whether the Canadian province of Quebec's data protection legal regime is adequate to preserve the privacy of personal data received from the European Union, the Article 29 Working Party said in an opinion released June 19.  

In order for personal data to be transferred out of the EU in compliance with the EU Data Protection Directive (95/46/EC), the receiving country must have a legal regime that the commission, the EU's executive arm, determines “adequately” protects privacy.

The Art. 29 Party, which is made up of data protection officials from the 28 EU member states, serves as the official data protection advisory body to the European Commission.

There are alternative means of lawfully transferring data, including binding corporate rules, standard contractual clauses and the U.S.-EU Safe Harbor Program. The continuing viability of those alternatives may, however, be in question.

Long Standing Provincial Law

The Quebec Act providing protection of personal information in the private sector took effect in 1994 and was strengthened in 2000.

In May 2002, the Office of the Privacy Commissioner of Canada reported to the Canadian Parliament that Quebec's privacy regime was the first provincial regime sufficiently similar to the federal Personal Information Protection and Electronic Document Act—which was scheduled to take effect for the private sector in January 2004—and would allow it to provide data protection coverage to the private sector in place of PIPEDA.

In November 2003, the Quebec Act was officially recognized as sufficient so as to largely exempt businesses and other organizations in Quebec from the application of PIPEDA.

List of Concerns

The Art. 29 Party counseled the European Commission to not undertake an adequacy ruling on Quebec until:

  •  the territorial scope of the Quebec Act in relation to PIPEDA is clarified;
  •  the transparency principle is better met by ensuring that contact details of the “person carrying on an enterprise” are required to be made available to data subjects;
  •  the right of access principle is more consistent with the EU Data Protection Directive (95/46/EC) by limiting access in some circumstances “on the basis of the legitimate interest of the data controller”;
  •  the term “sensitive information” is better defined and the highest level of protection is provided for such information; and
  •  the coverage of data transferred onward after receipt in Quebec is clarified to “require the use of contractual or other binding provisions in order to provide a comparable level of protection with the protection awarded by EU law.”
  • The Art. 29 Party last recommended approval of the Principality of Monaco's application. The European Commission hasn't ruled on Monaco's adequacy application.

    The commission last approved country privacy regimes as adequate in 2012 when it issued adequacy determinations in favor of Uruguay and New Zealand.

    “Opinion 7/2014 on the protection of personal data in Quebec—WP219” is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp219_en.pdf.