Privacy and the Receipt of Personal Information From EU Countries

The EU privacy directive (1995 version – I gather that it is being revised, though I don’t know on what timetable) provides that member countries may not release personal information outside the EU unless the recipients are bound by equivalent safeguards for privacy.

While the US has a ‘safe harbor’ agreement with the EU about criteria for judging when the protections are equivalent, Canada does not. On the other hand, we have a generally applicable privacy law (PIPEDA) and some provincial equivalents, plus personal health information laws in most provinces. Are they enough to permit the personal information to come here, or are there problems?

I think for example of a provision like Article 8 of the Directive, about processing of ‘special categories of data’, like heath care data. This is not to be released without consent of the individual concerned. However, there is an exception for data released for diagnostic or health care reasons, if the person to whom the PI is released is subject to safeguards under the applicable law. (Arrticle 8(3))

Are the provincial health information protection acts (I think of the Personal Health Information Protection Act in Ontario, but most provinces have them, as noted) considered adequate protection for such disclosure from the EU? If there is no official EU-level pronouncement on the topic, have you or your clients run into any problems in getting information transferred from EU countries that would rely on this legislation for authority? Do the transferors (or their lawyers) distinguish between PIPEDA and the specific obligations of the provincial laws in discussing such transfers?

In short, how is this working in practice, given the variety of EU laws implementing the Directive and the variety of laws that apply to the potential recipients?

Are any of the likely revisions to the Directive going to affect operations on this practical level, or are they just aimed at updating for new technology or practices, like data storage in the cloud?

Comments

  1. The EU officially recognized PIPEDA as providing equivalent privacy protection, in 2002. Here is the press release about that.

    The questions here are more directed at transfers that would be covered under provincial law, either of general application or, probably more interestingly, under specific legislation like the health information protection laws. Are they adequate to permit a transfer of PI from the EU?

    Or does the international character of the transfer necessarily involve applying PIPEDA rather than provincial law?