On June 4, 2014, the Article 29 Working Party (WP 29) issued a report to the European Commission (EC) regarding an application by the Province of Québec, Canada for status as a jurisdiction providing an adequate level of protection for the purposes of transfer and processing of personal data from the European Union. WP 29 is made up of representatives of European Union member states. The report is significant not only because WP 29 questioned the jurisdictional scope of the Québec legislation, but also because it has raised concerns regarding certain limitations in Québec’s scheme of protection for personal information.
WP 29′s first concern was regarding the territorial scope of Québec’s An Act respecting the Protection of Personal Information in the Private Sector (the Québec Act).
In an attempt to thwart a constitutional challenge, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) contains a mechanism to cede jurisdiction over an organization in favour of provincial legislation if that province enacts legislation that is declared to be substantially similar to PIPEDA. The Québec Act was declared substantially similar in 2003 resulting in a constitutional détente (although there remains an outstanding judicial proceeding regarding the constitutionality of PIPEDA).
Even though the Québec Act has been declared substantially similar, there is some uncertainty regarding the effect of that declaration. On one interpretation, provincial legislation, such as the Québec Act, applies only to the collection, use and disclosure of information within the province. Collection, use and disclosure across provincial borders or internationally remains subject to PIPEDA. However, another interpretation, which was adopted by the Commission d’accès à l’information du Québec in its application for recognition, is that organizations must comply with both statutes if the collection, use or disclosure of personal information crosses provincial boundaries.
WP 29 noted the apparent disagreement regarding the scope of the Québec Act and stated that further clarification was required.
WP 29 also raised substantive concerns with the adequacy of the Québec Act. In doing so, WP 29 compared and contrasted the Québec Act with PIPEDA. WP 29′s concerns seem to reflect a preference for more precise legal drafting, rather than any concern regarding how the Québec Act is interpreted and applied in practice by the Commission d’accès à l’information du Québec.
- Transparency. The Québec Act, unlike PIPEDA, does not provide for the disclosure of the contact information of a person who is accountable for the privacy practices of the enterprise, frequently referred to as a Privacy Officer. WP 29 recommended that the contact details of the person carrying on an enterprise be disclosed to the person from whom information is being collected in order to satisfy the transparency principle.
- Access Rights. WP 29 was concerned that access to personal information in Québec may be limited. WP 29 noted that Article 39 of the Québec Civil Code permits the withholding of access and the refusal to correct where the enterprise has a serious and legitimate reason for doing so or if the information is of a nature that may seriously prejudice a third person. In contrast, PIPEDA requires an organization to grant an individual access to his or her personal information except in very limited circumstances.
- Onward Transfers. WP 29 was concerned that the Québec Act did not require contractual provisions as a mandatory requirement to protect personal information transferred to third parties, even though the Québec Act provides that an enterprise shall take all reasonable steps to protect the information. It would appear that WP 29 was concerned that this could be interpreted as a standard permitting transfers without binding provisions to ensure a comparable level of protection to the Québec Act.
- Sensitive Information. WP 29 also raised concerns regarding the absence of a specific definition of sensitive data. WP 29 noted that PIPEDA also lacks a definition of sensitive data. The Canadian approach is to assess the sensitivity of information by reference to the context in which it is collected, used and disclosed. Data may be more or less sensitive depending on how it is used and combined with other information. Evidently, WP 29 would prefer greater specificity around what constitutes sensitive information.
The WP 29 report can be found here.