The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has issued a detailed draft report on the U.S. surveillance activities and its implications for European fundamental rights. The report loops Canada into the discussion, noting Canada’s participation in the “five-eyes” consortium and expressing concern about the implications for trust in the Canadian legal system. The report states:
whereas according to the information revealed and to the findings of the inquiry conducted by the LIBE Committee, the national security agencies of New Zealand and Canada have been involved on a large scale in mass surveillance of electronic communications and have actively cooperated with the US under the so called â€˜Five eyes’ programme, and may have exchanged with each other personal data of EU citizens transferred from the EU;
whereas Commission Decisions 2013/651 and 2/2002 of 20 December 2012 have declared the adequate level of protection ensured by the New Zealand and the Canadian Personal Information Protection and Electronic Documents Act; whereas the aforementioned revelations also seriously affect trust in the legal systems of these countries as regards the continuity of protection afforded to EU citizens; whereas the Commission has not examined this aspect.
As a result of the concerns with Canadian surveillance, the report recommends a re-examination of the adequacy finding of Canadian privacy law:
Calls on the Commission and the Member States to assess without delay whether the adequate level of protection of the New Zealand and of the Canadian Personal Information Protection and Electronic Documents Act, as declared by Commission Decisions 2013/651 and 2/2002 of 20 December 2001, have been affected by the involvement of their national intelligence agencies in the mass surveillance of EU citizens and, if necessary, to take appropriate measures to suspend or reverse the adequacy decisions; expects the Commission to report to the European Parliament on its findings on the above mentioned countries by December 2014 at the latest;
For non-privacy lawyers, the European Union law requires that non-EU countries maintain an “adequate” standard of data protection. Countries that do not meet that standard run the risk of being subject to restrictions on data transfers between themselves and all EU members states. The importance of receiving an adequacy finding was one of the prime motivations behind enacting private sector privacy law. As the Canadian government told the Supreme Court of Canada last year:
Parliament also enacted the PIPEDA, in part, in response to the European Union’s (the EU) 1995 Data Protection Directive (EU Directive). The EU Directive regulates the processing of personal information within EU member states, and requires member states to pass legislation that restricts the transfer of personal information to non-EU countries unless they provide an â€œadequate level of protectionâ€ of personal information, or alternative measures are put in place to protect privacy (such as model contracts). The EU has determined that through the PIPEDA (including its provision for recognizing substantially similar provincial legislation), Canada meets this standard. The conferral of adequacy status on Canada allows for the free flow of data between Canada and EU member states.
Canadian law received the adequacy finding in 2002. The European Parliament report now says the finding should be re-examined in light of the revelations of Canada’s active participation in global surveillance activities. Given the Canadian government’s emphasis on expanding European trade through the new Canada – EU Trade Agreement, a change in the adequacy status of Canadian privacy law could be enormously damaging. Moreover, given that the European Parliament will ultimately be required to approve CETA, the concerns about the trustworthiness of Canadian law within the EP could lead to opposition to the broader trade deal.