Canada — International Data Transfers

Canada's federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5; PIPEDA), does not prohibit cross-border transfers of personal information or impose adequacy requirements based on the receiving jurisdiction's legal framework. Instead, PIPEDA regulates international data transfers through an accountability principle grounded in Principle 4.1.3 of Schedule 1, which is incorporated directly into the statute.

Principle 4.1.3 — the statutory foundation

Principle 4.1.3 of Schedule 1 to PIPEDA states:

> "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."

This principle is mandatory. Section 5(1) of PIPEDA requires every organization subject to the Act to comply with the obligations set out in Schedule 1.

No adequacy assessment or whitelist mechanism

In contrast to the GDPR's Chapter V regime, PIPEDA does not require Canadian organizations to assess whether the destination country offers adequate legal protection, nor does Canada maintain an approved-country list. The Office of the Privacy Commissioner of Canada (OPC) confirmed in its January 2009 Guidelines for Processing Personal Data Across Borders that "Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy." The transferring organization remains accountable for the protection of personal information regardless of the jurisdiction to which it is transferred.

Contractual safeguards as the primary mechanism

The OPC's 2009 Guidelines emphasize that "the primary means by which [protection] is accomplished is through contract." Organizations must impose contractual terms on the foreign processor requiring security safeguards "appropriate to the sensitivity of the information" and restricting use and disclosure to the purposes for which the information was originally collected. In practice, a Canadian data controller transferring personal information to a U.S. cloud provider, an Indian call center, or a Philippine payroll processor applies the same accountability obligation to each, satisfied through contract rather than a state-to-state adequacy finding.

What constitutes "comparable" protection

Principle 4.1.3 requires that the third-party processor provide a "comparable level of protection" while processing the information. The OPC has not issued detailed guidance on what this comparability standard demands in specific contexts. The requirement is functional: the contractual or other safeguards must ensure that the processor's handling of the personal information — in terms of security, use limitations, retention, and breach response — approximates the level of protection the transferor was required to maintain under PIPEDA's own principles. The comparability assessment is organization-to-organization, not law-to-law.

Interaction with the consent principle

For many years the OPC's 2009 Guidelines took the position that a cross-border transfer for processing constitutes a "use" under PIPEDA, not a "disclosure," and therefore does not require separate consent if the information is being used for the purposes for which it was originally collected. In 2019 the OPC initiated a consultation proposing that transfers for processing should be treated as "disclosures" requiring consent under Principle 4.3 of Schedule 1. After receiving 87 submissions — the majority opposing the change — the OPC announced in September 2019 that it would maintain the 2009 position under the current law, acknowledging the Federal Court of Appeal's instruction that Schedule 1 "does not lend itself to typical rigorous construction" and that "flexibility, common sense and pragmatism will best guide" interpretation. Consent for cross-border transfers is therefore not categorically required if the transfer is for the original collection purpose, though the OPC encourages transparency under Principle 4.8 (Openness).

Supervisory authority and enforcement

The OPC enforces PIPEDA's accountability principle through its complaint investigation powers under Part 1 of the Act. Organizations that fail to ensure comparable protection in the hands of a foreign processor — whether through inadequate contract terms, lack of due diligence, or failure to monitor ongoing compliance — are subject to OPC findings of non-compliance, which can be taken to the Federal Court under section 14 of PIPEDA for orders and damages.

EU adequacy recognition

The European Commission granted Canada adequacy status under Article 25(6) of Directive 95/46/EC in December 2001 (Decision 2002/2/EC). That decision remained in force when the GDPR took effect in May 2018. On January 15, 2024, the European Commission concluded its quadrennial review of 11 adequacy decisions, including Canada's, and reaffirmed Canada's adequacy status. The adequacy decision covers PIPEDA; organizations in provinces with substantially similar provincial laws (Quebec's Law 25, British Columbia's PIPA, Alberta's PIPA) are covered through PIPEDA's application to cross-border transfers even when the domestic activity is provincially regulated.

Source: PIPEDA Schedule 1, Principle 4.1.3 Source: OPC Guidelines for Processing Personal Data Across Borders, January 27, 2009 Source: OPC Announcement: Commissioner concludes consultation on transfers for processing, September 23, 2019 Source: OPC Issue sheets on the review of Alberta's PIPA, September 24, 2024

When a Canadian organization transfers personal information to a foreign jurisdiction for processing — whether by a third-party service provider, an affiliate, or a cloud host — PIPEDA imposes an affirmative disclosure obligation to notify individuals that the information may become accessible to law enforcement and national security authorities of that foreign jurisdiction. This transparency requirement flows from Principle 4.8 (Openness) of Schedule 1 to PIPEDA, which the Office of the Privacy Commissioner of Canada (OPC) has consistently enforced in its complaint investigations and guidance documents.

Principle 4.8 and the OPC's 2009 Guidelines

Principle 4.8 of Schedule 1 to PIPEDA requires that "[a]n organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information," including "the type of personal information held by the organization" and "a description of the type of disclosure that may be made (e.g., to subsidiaries, to entities providing services to the organization, or to credit grantors)." Section 5(1) of PIPEDA makes compliance with Schedule 1 mandatory.

The OPC's January 27, 2009 publication Guidelines for Processing Personal Data Across Borders translates this general openness obligation into a specific cross-border transparency rule:

> "Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected."

The Guidelines further state that organizations must communicate the foreign-access risk "in clear and understandable language" and "[i]deally . . . at the time the information is collected," though the obligation is ongoing under Principle 4.8.

Scope — which foreign jurisdictions trigger the disclosure duty

The OPC has not limited this transparency requirement to specific high-risk jurisdictions (e.g., the United States under the USA PATRIOT Act or CLOUD Act). The 2009 Guidelines apply the disclosure obligation whenever personal information "may be processed in a foreign country," regardless of destination. In practice, the OPC has focused its enforcement attention on transfers to the United States — where the Foreign Intelligence Surveillance Act (FISA), the USA PATRIOT Act, and the CLOUD Act authorize compelled disclosure to U.S. intelligence and law enforcement agencies with minimal judicial oversight — but the text of the Guidelines and Principle 4.8 do not carve out other jurisdictions.

Organizations must therefore assess whether the legal framework of the receiving jurisdiction permits government access under lawful authority (subpoena, national security letter, administrative summons, court order) and, if so, disclose that possibility to affected individuals. The OPC's 2009 Guidelines acknowledge that PIPEDA "cannot prevent foreign authorities from lawfully accessing the personal information of Canadians held by organizations within their jurisdiction," but accountability under Principle 4.1.3 and transparency under Principle 4.8 remain mandatory.

Content — what the disclosure must say

The OPC requires disclosure "in clear and understandable language" that conveys:

• That the personal information will be (or may be) processed in a foreign country (naming the country or countries if known at the time of collection);
• That the information, while in that foreign jurisdiction, may be accessible to law enforcement and national security authorities of that jurisdiction under that jurisdiction's laws; and
• The legal mechanism through which such access may occur (e.g., subpoena, court order, national security letter), if the organization is aware of the applicable foreign legal framework.

Timing — when the disclosure must be made

The 2009 Guidelines state that organizations "should" make the disclosure "at the time the information is collected." This is the OPC's preferred practice, consistent with Principle 4.2 (Identifying Purposes), which requires that "[t]he purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected." However, the underlying statutory obligation is Principle 4.8 (Openness), which is continuous. Organizations that did not disclose foreign processing and foreign government access at the time of collection remain obligated to make the information "readily available" through their public privacy policy or through direct notice to affected individuals.

No separate consent required

The 2009 Guidelines and subsequent OPC enforcement decisions confirm that organizations do not need to obtain separate consent for the cross-border transfer itself if the transfer is for the purposes for which the information was originally collected and the individual consented to those purposes. The transparency obligation under Principle 4.8 is independent of the consent analysis under Principle 4.3. As the Guidelines explain, "[o]nce an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred."

In September 2019, after a public consultation, the OPC reaffirmed that a transfer for processing is a "use" under PIPEDA, not a "disclosure," and therefore does not require fresh consent under Principle 4.3 if the use is for the original collection purpose. The foreign-government-access transparency requirement under Principle 4.8 operates in parallel: the individual must be informed of the foreign-access risk, but does not have a veto over the transfer (unless the individual withdraws consent to the underlying service, in which case Principle 4.3.8 applies).

Enforcement — leading OPC findings

The OPC has applied the foreign-government-access disclosure obligation in multiple investigations:

• PIPEDA Case Summary #2004-269 (CIBC): The Assistant Privacy Commissioner found that CIBC had satisfied its transparency obligations under Principle 4.8 by including a statement in its privacy policy that customer information processed in the United States "may be accessible to U.S. authorities under a lawful order made in that country." The Assistant Commissioner concluded that this disclosure, combined with contractual protections under Principle 4.1.3, satisfied PIPEDA.

• PIPEDA Case Summary #2007-365 (SWIFT): In the investigation into Canadian financial institutions' use of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which disclosed bulk transaction data to the U.S. Treasury under administrative subpoena, the Assistant Privacy Commissioner concluded that the banks had provided "adequate notice of the risk of possible mandatory disclosure to foreign authorities by way of clear statements in the banks' privacy policies."

Interaction with provincial law — Quebec Law 25

Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25, in force September 22, 2022, with transfer provisions effective September 22, 2023) imposes a separate and more prescriptive cross-border transfer regime. Under section 17 of the Quebec Act, an organization carrying on an enterprise in Quebec that communicates personal information outside Quebec must, before the communication, take "all reasonable steps" to ensure that the information will not be used for purposes not relevant to the object of the file, and must inform the person concerned that the information may be communicated outside Quebec and of the purposes for which it will be used. Section 17 does not contain an explicit foreign-government-access disclosure requirement, but the Commission d'accès à l'information du Québec (the Quebec supervisory authority) interprets the transparency obligation in section 17 as including disclosure of the legal framework of the receiving jurisdiction when that framework permits government access without the individual's knowledge.

Organizations subject to both PIPEDA (for cross-provincial and cross-border transfers) and Quebec Law 25 (for Quebec-resident personal information) must satisfy both regimes. In practice, a disclosure that satisfies PIPEDA Principle 4.8 and the OPC's 2009 Guidelines will also satisfy Quebec section 17, provided the organization complies with Quebec's additional procedural requirements (prior transparency, reasonable steps to ensure lawful use).

Practical implementation

Organizations transferring personal information to foreign jurisdictions — especially the United States — typically include language in their privacy policy and collection notices such as:

> "Your personal information may be transferred to and processed by service providers in [country]. While in [country], your information will be subject to the laws of that jurisdiction and may be accessible to law enforcement and national security authorities under lawful authority in that jurisdiction."

The OPC's 2009 Guidelines encourage organizations to name the specific countries and to explain the legal basis for potential government access (e.g., "subject to the USA PATRIOT Act and the CLOUD Act"). This level of specificity enhances transparency but is not strictly required by Principle 4.8 as long as the disclosure is "clear and understandable."

Source: PIPEDA Schedule 1, Principle 4.8 (Openness) Source: OPC Guidelines for Processing Personal Data Across Borders, January 27, 2009 Source: OPC Fact Sheet: Privacy and outsourcing for businesses, January 14, 2014

Principle 4.1.3 of Schedule 1 to PIPEDA requires that an organization "use contractual or other means to provide a comparable level of protection while the information is being processed by a third party." The Office of the Privacy Commissioner of Canada (OPC) interprets this obligation as requiring both pre-transfer due diligence and ongoing monitoring of the foreign processor's privacy and security practices. The OPC's 2009 Guidelines for Processing Personal Data Across Borders and its enforcement decisions establish a multi-stage accountability framework that extends beyond the initial contract signature to active, continuous oversight.

Pre-transfer due diligence — assessing the processor before the transfer begins

Before transferring personal information to a foreign processor, the OPC expects organizations to "be diligent in all their dealings with foreign third party processors." The 2009 Guidelines state that organizations "must take into consideration all of the elements surrounding the transaction," including the foreign processor's operational capabilities, financial stability, and the legal and regulatory environment of the destination jurisdiction.

In its August 2020 investigation into TD Bank's transfer of fraud claims data to a service provider in India (PIPEDA Findings #2020-001), the OPC reviewed the bank's pre-transfer assessment process and found it satisfactory. The OPC's analysis focused on whether TD had taken "all reasonable steps" to satisfy itself that the processor had appropriate policies, processes, staff training, and security measures in place before the transfer commenced. The OPC confirmed that organizations "must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times."

For federally regulated financial institutions (banks, insurers, trust companies, and loan companies), the Office of the Superintendent of Financial Institutions (OSFI) has published Guideline B-10: Outsourcing of Business Activities, Functions and Processes (March 2009), which the OPC has expressly relied upon in its enforcement decisions. OSFI Guideline B-10 requires federally regulated entities (FREs) to "undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement, and addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors." When the processor is located outside Canada, OSFI expects FREs to "pay particular attention to the legal requirements of that jurisdiction, as well as the potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service."

In PIPEDA Case Summary #2005-313, involving CIBC's outsourcing of Visa processing to a U.S. service provider, the Assistant Privacy Commissioner concluded that CIBC had met its due diligence obligations under Principle 4.1.3 in part because the bank had complied with OSFI Guideline B-10. The OPC stated that OSFI's guidelines "are also consistent with [Principle 4.1.3]." Organizations subject to OSFI supervision must therefore satisfy both OSFI's prudential outsourcing requirements and PIPEDA's privacy accountability principle; the two regimes are complementary but distinct.

What constitutes "all reasonable steps" — scope of the pre-transfer assessment

The OPC's 2009 Guidelines do not prescribe a checklist of mandatory due diligence steps, but the TD 2020-001 finding and the OSFI B-10 Guideline together suggest that a compliant pre-transfer assessment should include:

• Verification of the processor's privacy and security policies, including policies governing access controls, encryption, data retention, breach notification, and employee training;
• Assessment of the processor's financial and operational stability, to ensure continuity of service and ongoing compliance capacity;
• Review of the legal and regulatory framework of the destination jurisdiction, including mandatory government access laws (e.g., U.S. CLOUD Act, FISA, PATRIOT Act), data protection obligations, and breach notification requirements;
• Evaluation of the processor's prior compliance record, including any known data breaches, regulatory findings, or enforcement actions by supervisory authorities in the destination jurisdiction; and
• Assessment of subcontracting arrangements, if the processor intends to engage sub-processors or store data in multiple jurisdictions.

The 2009 Guidelines acknowledge that PIPEDA "does not require a measure by measure comparison by organizations of foreign laws with Canadian laws," but it does require that organizations "take into consideration all of the elements surrounding the transaction." The result may be that "some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction."

Contractual safeguards — the primary accountability mechanism

The OPC's 2009 Guidelines state that "the primary means by which [protection] is accomplished is through contract." The contract with the foreign processor must impose obligations that ensure a "comparable level of protection" while the information is being processed. The OPC and the courts have consistently held that a contractual clause requiring the processor to "comply with Canadian privacy laws" is not sufficient on its own to satisfy Principle 4.1.3.

In the TD 2020-001 investigation, the OPC noted that TD's contract required the Indian service provider to comply with Canadian privacy laws, but the OPC emphasized that "this clause would not, on its own be sufficient to ensure a comparable level of protection." The OPC therefore "closely reviewed TD's contract with the service provider, as well as the supporting documentation that TD provided our Office to demonstrate how it confirms that the service [provider complies]." The OPC ultimately concluded that TD's contract, combined with technological controls and ongoing monitoring mechanisms, provided comparable protection under Principles 4.4 (Limiting Collection), 4.5 (Limiting Use, Disclosure, and Retention), and 4.7 (Safeguards).

A compliant contract should therefore include:

• Specific technical and organizational security measures appropriate to the sensitivity of the information (encryption in transit and at rest, access logging, multi-factor authentication, physical security controls);
• Use and disclosure restrictions limiting the processor to the purposes for which the transferor originally collected the information, and prohibiting onward disclosure without the transferor's authorization;
• Data retention and destruction obligations, specifying maximum retention periods and secure destruction methods;
• Breach notification provisions requiring the processor to notify the transferor immediately upon discovery of a breach, and to cooperate in the transferor's assessment of whether the breach is reportable under PIPEDA Part 1.1;
• Audit and inspection rights, allowing the transferor to verify the processor's compliance through on-site or remote audits, third-party certifications (e.g., ISO 27001, SOC 2 Type II), or attestations;
• Subcontracting restrictions, requiring the processor to obtain the transferor's prior written consent before engaging sub-processors, and to impose equivalent obligations on any sub-processor;
• Termination and data return provisions, specifying that upon termination the processor must return or securely destroy all personal information and certify compliance; and
• Indemnification and liability allocation, though the OPC has emphasized that contractual indemnification does not relieve the transferor of its accountability obligation under PIPEDA.

Ongoing monitoring and enforcement — the duty does not end at contract signing

The OPC's 2009 Guidelines and subsequent enforcement decisions make clear that accountability under Principle 4.1.3 is continuous. The transferring organization must actively monitor the processor's compliance and enforce the contractual obligations. The OPC's February 2014 publication Privacy and outsourcing for businesses states that organizations "must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times" (emphasis added).

The TD 2020-001 finding confirmed that the OPC expects organizations to implement mechanisms to verify ongoing compliance. The OPC reviewed TD's contract with the Indian service provider "as well as the supporting documentation that TD provided our Office to demonstrate how it confirms that the service [provider complies]." The OPC did not specify the exact monitoring mechanisms TD had in place, but the finding's emphasis on "technological controls, coupled with the terms of its contract with the service provider and associated monitoring and enforcement of those contractual provisions" (emphasis added) indicates that periodic verification is mandatory.

Organizations should therefore implement ongoing monitoring measures such as:

• Periodic audits of the processor's security controls, whether conducted by the organization's internal audit team, an independent third-party auditor, or through review of the processor's SOC 2 Type II or ISO 27001 certification reports;
• Breach and incident reporting protocols, requiring the processor to report any security incidents, unauthorized access, or near-miss events to the transferor within a specified timeframe (e.g., 24 hours);
• Regular attestations or certifications from the processor confirming compliance with the contract's privacy and security obligations;
• Key performance indicators (KPIs) or service-level agreements (SLAs) that measure the processor's compliance with data protection obligations (e.g., percentage of employees completing annual privacy training, encryption coverage, access log review frequency);
• Periodic risk re-assessments, particularly when the processor changes its operating environment (new subcontractors, migration to a different data center, expansion into a new jurisdiction with different legal requirements).

Limits of contractual control — foreign government access and mandatory disclosure laws

The OPC's 2009 Guidelines acknowledge that "what the organization cannot do through contract — or indeed by any other means — is to override the laws of a foreign jurisdiction." When a foreign processor is subject to mandatory disclosure laws (e.g., U.S. CLOUD Act, FISA national security letter, administrative subpoena), the processor will be legally compelled to disclose the personal information to the foreign government, and no contract term can prevent that disclosure.

In the CIBC 2005-313 investigation, the Assistant Privacy Commissioner noted that "while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws." The OPC's position is that the transferring organization satisfies its accountability obligation under Principle 4.1.3 if it (1) conducts due diligence on the foreign legal framework, (2) imposes contractual safeguards to the extent legally possible, and (3) discloses the foreign government access risk to individuals under Principle 4.8 (Openness). The organization cannot prevent lawful foreign government access, but it must be transparent about the risk and must ensure that the processor does not voluntarily disclose personal information beyond what the foreign law compels.

Remedies when a processor fails to comply

When ongoing monitoring reveals that a foreign processor is not complying with its contractual privacy obligations, the transferring organization must take corrective action. The nature of the corrective action depends on the severity and persistence of the non-compliance, but the OPC has indicated that options include:

• Immediate remediation (requiring the processor to correct the deficiency within a specified cure period);
• Suspension of further transfers until the processor demonstrates compliance;
• Termination of the processing relationship and migration to a compliant processor, with secure return or destruction of all personal information in the non-compliant processor's possession;
• Notification to affected individuals if the non-compliance constitutes a breach of security safeguards reportable under PIPEDA Part 1.1; and
• Self-reporting to the OPC if the non-compliance represents a systemic failure of the organization's accountability framework.

The OPC's position is that the transferring organization cannot delegate accountability to the processor. Even if the processor is solely responsible for a breach or compliance failure, the transferring organization remains accountable to the OPC and to affected individuals under Principle 4.1.3.

Applicability — all organizations subject to PIPEDA, with heightened expectations for regulated entities

The due diligence and monitoring obligations under Principle 4.1.3 apply to all organizations subject to PIPEDA, regardless of size or sector. The OPC's 2009 Guidelines and enforcement decisions do not exempt small or medium-sized enterprises, though the OPC has acknowledged in its April 2012 guidance Getting Accountability Right with a Privacy Management Program that the scope and formality of the accountability framework should be "tak[ing] into consideration a number of factors, including the size of the organization, and the amount and sensitivity of the personal information it handles."

Federally regulated financial institutions (banks, insurers, trust and loan companies) are subject to both PIPEDA Principle 4.1.3 and OSFI Guideline B-10, and the OPC has consistently applied a heightened standard of due diligence to these entities in its enforcement decisions. The OSFI B-10 Guideline requires that "[w]hen the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE's risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s)."

Source: PIPEDA Schedule 1, Principle 4.1.3 Source: OPC Guidelines for Processing Personal Data Across Borders, January 27, 2009 Source: OPC Privacy and outsourcing for businesses, January 14, 2014 Source: PIPEDA Findings #2020-001: Bank ensures openness and comparable protection for personal information transferred to third party, August 4, 2020 Source: PIPEDA Case Summary #2005-313: Bank's notification to customers triggers PATRIOT Act concerns, October 19, 2005 Source: OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes, March 2009

When a Canadian organization transfers personal information to a foreign processor — whether in the United States, India, the Philippines, or any other jurisdiction — and that processor experiences a breach of security safeguards, the Canadian organization remains responsible for reporting the breach to the Office of the Privacy Commissioner of Canada (OPC) and notifying affected individuals if the breach creates a real risk of significant harm (RROSH). The processor itself has no direct reporting obligation under PIPEDA; accountability under Part 1.1 of PIPEDA rests with the organization that controls the personal information.

Statutory foundation — sections 10.1 to 10.3 of PIPEDA

Part 1.1 of PIPEDA, entitled "Breaches of Security Safeguards," came into force on November 1, 2018, implementing the amendments in the Digital Privacy Act, S.C. 2015, c. 32. Section 10.1(1) requires that "[a]n organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." Section 10.1(3) imposes a parallel obligation to notify affected individuals. Section 10.3(1) mandates that every organization "keep and maintain a record of every breach of security safeguards involving personal information under its control," regardless of whether the breach meets the RROSH threshold, and the Breach of Security Safeguards Regulations, SOR/2018-64, require that these records be retained for 24 months.

A "breach of security safeguards" is defined in section 2(1) of PIPEDA as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in clause 4.7 of Schedule 1 [Principle 4.7, Security Safeguards] or from a failure to establish those safeguards." The definition is technology-neutral and applies equally to breaches occurring in Canada and breaches occurring in a foreign jurisdiction, including those at the hands of a third-party processor.

Who has "control" and must report — the principal organization, not the processor

The OPC's October 29, 2018 guidance document, What you need to know about mandatory reporting of breaches of security safeguards, clarifies that when an organization (the "principal organization") has transferred personal information to a third party for processing and a breach occurs while the information is with the processor, the principal organization remains in control of the personal information and therefore bears the responsibility for breach reporting, notification, and record-keeping. The OPC states:

> "PIPEDA's accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing. . . . Therefore in this context, we find it reasonable to interpret the principal organization as having control of the personal information and therefore responsibility for breach reporting in respect of a breach that occurs with the third party processor."

This interpretation flows directly from Principle 4.1.3 of Schedule 1 to PIPEDA, which provides that "[a]n organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing" (emphasis added). The accountability obligation under Principle 4.1.3 does not cease when the information leaves Canada; it persists regardless of where the processor is located or where the breach occurs.

The OPC acknowledged in its 2018 guidance that "business relationships can be very complex and determining who has personal information 'under its control' needs to be assessed on a case-by-case basis," but the baseline rule is clear: when an organization engages a processor to handle personal information for the purposes for which the organization originally collected it, the organization retains control and the processor is acting on the organization's behalf. In the cross-border transfer context, a Canadian organization that engages a U.S. cloud provider to host customer records, an Indian service provider to process fraud claims, or a Philippine call center to manage customer service inquiries remains the controller under PIPEDA and must report any breach of security safeguards at the processor.

Contractual obligation to ensure timely processor notification

Because the principal organization bears the reporting obligation but may not discover the breach until the processor discloses it, the OPC's 2018 guidance emphasizes that "the principal organization will need to ensure there are sufficient contractual arrangements in place with the processor to address compliance with the breach provisions set out in PIPEDA." The same is true for notification and record-keeping obligations.

The contract with the foreign processor must therefore include a breach notification clause requiring the processor to notify the principal organization immediately upon discovering a breach of security safeguards involving the personal information being processed. The OPC has not prescribed a specific notification deadline in the contract (e.g., "within 24 hours"), but the principal organization's own statutory reporting deadline under section 10.1(2) of PIPEDA is "as soon as feasible after the organization determines that the breach has occurred." A delayed notification from the processor will compress the principal organization's timeline for conducting the RROSH assessment and submitting the report to the OPC. Best practice is therefore to require the processor to notify the principal organization immediately — ideally within 24 to 48 hours of discovery — and to provide all information necessary for the principal organization to assess RROSH (the types and volume of personal information affected, the cause of the breach, whether the information was encrypted, whether unauthorized access or exfiltration occurred, and the identity of the unauthorized party if known).

Timeline for reporting to the OPC and notifying individuals — "as soon as feasible"

Unlike the European Union's GDPR, which imposes a fixed 72-hour deadline for data controllers to report a personal data breach to the supervisory authority (Article 33(1) GDPR), PIPEDA does not prescribe a hard timeline. Section 10.1(2) of PIPEDA requires only that the report "be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred." Section 10.1(6) imposes the same "as soon as feasible" standard for notification to affected individuals.

The OPC has interpreted "as soon as feasible" flexibly, acknowledging that organizations need time to investigate a breach, determine its scope, and assess RROSH. However, "as soon as feasible" is not infinitely elastic. In PIPEDA Findings #2022-004, the OPC investigated a U.S.-based hotel and casino operator that suffered a breach in July 2019, began notifying affected Americans shortly thereafter, but did not assess the impact on Canadians or report to the OPC until June 2020 — nearly 12 months after the breach. The OPC found that the organization contravened section 10.1 because it failed to report and notify "as soon as feasible." The OPC stated:

> "While the OPC quite reasonably acknowledged that it can often take weeks or months to investigate a breach and determine its scope, it found it unacceptable that the Company did not start an RROSH assessment [for Canadians] until almost six months after it began notifying affected Americans."

The OPC emphasized that organizations subject to PIPEDA must conduct concurrent assessments for Canadian-resident personal information, not sequential assessments that prioritize other jurisdictions (e.g., the United States or the EU). The takeaway for cross-border transfers is that when a foreign processor notifies the Canadian principal organization of a breach, the Canadian organization must immediately begin its RROSH assessment and, if the threshold is met, report to the OPC and notify affected individuals without waiting for the processor to complete its own breach response in the processor's home jurisdiction.

The RROSH assessment — sensitivity and probability of misuse

Not every breach triggers the reporting and notification obligations. Section 10.1(1) and (3) of PIPEDA require reporting and notification only if "it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." This is a threshold assessment the principal organization must conduct for every breach, including breaches at a foreign processor.

Section 10.1(7) of PIPEDA defines "significant harm" broadly to include "bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property." Section 10.1(8) specifies that the factors relevant to determining whether a breach creates a real risk of significant harm include:

• (a) the sensitivity of the personal information involved in the breach; and
• (b) the probability that the personal information has been, is being or will be misused.

The OPC's 2018 guidance elaborates that organizations should consider the context in which the information was collected, the reasonable expectations of the individuals, and whether the breach involves information such as financial account numbers, government identifiers (Social Insurance Numbers, driver's license numbers), health information, or information that could be used to commit identity theft or fraud. For probability of misuse, the OPC instructs organizations to consider whether the information was encrypted; whether the breach was the result of malicious intent (e.g., a ransomware attack or targeted exfiltration) or human error (e.g., an email sent to the wrong recipient); whether the unauthorized party is known and has returned or destroyed the information; and the volume of individuals affected.

In the cross-border transfer context, a ransomware attack on a U.S. cloud provider hosting unencrypted Canadian customer records, or a data exfiltration incident at an Indian payroll processor involving government identifiers and financial account numbers of Canadian employees, will almost certainly meet the RROSH threshold. A breach involving only business contact information (names and work email addresses) or information that was encrypted at rest with the encryption key stored separately and not compromised is less likely to meet the threshold, though the principal organization must document the RROSH assessment in its breach record regardless of the outcome.

Record-keeping obligation — every breach, whether reportable or not

Section 10.3(1) of PIPEDA requires that an organization "keep and maintain a record of every breach of security safeguards involving personal information under its control," whether or not the breach meets the RROSH threshold. Section 6(1) of the Breach of Security Safeguards Regulations specifies that the record must be maintained for 24 months after the day on which the organization determines that the breach has occurred. Section 6(2) provides that the record "must contain any information that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act" — that is, whether the organization properly assessed RROSH and fulfilled its reporting and notification obligations.

For breaches occurring at a foreign processor, the principal organization must therefore create and retain a breach record that includes at a minimum: a description of the breach (what happened, when, and where); the types and volume of personal information involved; the number of affected individuals (or an estimate); the cause of the breach; the organization's RROSH assessment (including the factors considered and the rationale for concluding that the breach did or did not meet the threshold); a description of any notification provided to affected individuals and to other organizations that could reduce the risk of harm (e.g., payment card issuers, law enforcement); and the steps the organization has taken or will take to mitigate the breach and prevent recurrence. The OPC can request access to these records at any time under section 10.3(2), and failure to maintain adequate records is itself a contravention of PIPEDA.

In its 2019 breach record inspection of Canadian telecommunications providers, the OPC found that a significant number of breach records "did not include sufficient details for the OPC to understand the [organization's] decision about RROSH." Organizations that rely on solicitor-client privilege to withhold portions of the breach record run the risk that the OPC will conclude the record does not meet the statutory requirement to "enable the Commissioner to verify compliance."

Interaction with the foreign processor's own breach notification obligations

Many jurisdictions impose their own breach notification requirements on organizations that experience a breach. For example, all 50 U.S. states and the District of Columbia have enacted data breach notification statutes requiring notification to affected residents and, in many cases, to the state attorney general or a state regulator. The EU's GDPR requires data processors to notify the data controller "without undue delay" upon becoming aware of a personal data breach (Article 33(2) GDPR), and the controller must then report to the supervisory authority within 72 hours (Article 33(1) GDPR).

PIPEDA does not override or replace the foreign processor's obligations under the law of the jurisdiction where the processor is located. A U.S.-based processor that suffers a breach involving personal information of Canadian residents may be required to notify affected individuals under the applicable U.S. state breach notification statutes and to notify the Canadian principal organization under the contract so that the principal organization can satisfy its PIPEDA obligations. The two notification regimes operate in parallel. The principal organization should therefore ensure that the contract with the foreign processor specifies that the processor's compliance with its own local breach notification laws does not satisfy the processor's obligation to notify the principal organization under the contract, and that the processor must provide the principal organization with all information necessary for the principal organization to comply with PIPEDA, even if that information exceeds what the processor is required to disclose under its home-jurisdiction law.

Notification to other organizations that can reduce the risk of harm — section 10.2 of PIPEDA

Section 10.2(1) of PIPEDA provides that an organization that notifies an individual of a breach under section 10.1(3) "shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm." This is a mandatory obligation, not discretionary.

In the cross-border transfer context, examples of third-party notification under section 10.2 include:

• Payment card issuers or networks (Visa, Mastercard, American Express) if the breach involves payment card numbers, so that the issuer can monitor for fraudulent transactions and reissue cards;
• Credit bureaus (Equifax, TransUnion) if the breach involves government identifiers or financial information that could be used to open fraudulent credit accounts;
• Law enforcement (RCMP, local police, FBI if the breach involved a U.S.-based processor and the unauthorized party is believed to be in the U.S.) if the breach was the result of criminal activity (hacking, ransomware, insider theft);
• The foreign processor's supervisory authority if the breach occurred at the processor and the processor's home jurisdiction has a data protection authority that may have investigative or remedial powers (e.g., the U.S. Federal Trade Commission if the processor is subject to FTC jurisdiction, the UK Information Commissioner's Office if the processor is in the UK).

Section 10.2(2) requires that the notification to the third-party organization be given "as soon as feasible after the organization determines that the breach has occurred" — the same timeline as the report to the OPC and the notification to affected individuals.

Criminal penalties for failure to report or notify — section 28 of PIPEDA

Section 28 of PIPEDA, as amended by the Digital Privacy Act, creates a criminal offence for knowingly failing to comply with the breach notification and record-keeping obligations. Specifically, section 28 provides that every person or organization that knowingly contravenes section 10.1 (reporting to the OPC and notifying individuals), section 10.2 (notifying other organizations), or section 10.3 (maintaining breach records) is guilty of an offence punishable on summary conviction and liable to a fine not exceeding $100,000 per violation.

The mens rea requirement is "knowingly." An organization that makes a good-faith error in its RROSH assessment (concluding a breach did not meet the threshold when in hindsight it did) will not be prosecuted under section 28, though the OPC may issue a finding of non-compliance. However, an organization that discovers a breach, deliberately conceals it, and fails to report or notify will face potential criminal prosecution. The OPC refers potential criminal violations to the Attorney General of Canada for prosecution.

Takeaways for cross-border transfers

Organizations transferring personal information to foreign processors must:

1. Include breach notification provisions in the contract requiring the processor to notify the principal organization immediately upon discovering a breach, and to provide all information necessary for the principal organization to conduct the RROSH assessment;
2. Treat the processor's notification as the starting gun for the "as soon as feasible" clock under PIPEDA — do not wait for the processor to complete its own breach investigation or notification process in the processor's home jurisdiction;
3. Conduct a concurrent RROSH assessment for Canadian-resident personal information at the same time as (not after) any assessment for U.S., EU, or other affected populations;
4. Report to the OPC and notify affected individuals as soon as feasible if the breach meets the RROSH threshold, using the OPC's prescribed breach report form;
5. Maintain a breach record for 24 months containing sufficient detail for the OPC to verify compliance, regardless of whether the breach was reportable;
6. Notify third-party organizations (payment card issuers, credit bureaus, law enforcement) that can reduce the risk of harm or mitigate the harm; and
7. Remember that accountability cannot be delegated — the foreign processor's compliance with its own breach notification laws does not relieve the Canadian principal organization of its obligations under PIPEDA Part 1.1.

Source: PIPEDA sections 10.1–10.3, S.C. 2000, c. 5 Source: Breach of Security Safeguards Regulations, SOR/2018-64 Source: OPC, What you need to know about mandatory reporting of breaches of security safeguards, October 29, 2018

The European Commission adopted Decision 2002/2/EC on December 20, 2001, finding that Canada provides an adequate level of protection for personal data transferred from the European Economic Area (EEA) to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). This adequacy decision enables organizations in the EU and EEA member states to transfer personal data to Canadian organizations covered by PIPEDA without additional safeguards under Article 45 of the General Data Protection Regulation (GDPR). The decision remains in force as of June 2, 2026, following the Commission's January 15, 2024 periodic review, which reaffirmed Canada's adequacy status.

Legal foundation and transition to the GDPR

Decision 2002/2/EC was adopted under Article 25(6) of Directive 95/46/EC, the predecessor to the GDPR. When the GDPR took effect on May 25, 2018, Article 45(9) GDPR provided that adequacy decisions adopted under Directive 95/46/EC "shall remain in force until amended, replaced or repealed by a Commission Decision adopted" under the GDPR. Canada's 2001 adequacy decision therefore carried forward automatically into the GDPR era without requiring a new Commission decision at that time.

Scope — organizations subject to PIPEDA, not provincial laws

The adequacy decision covers personal data transferred to "recipients subject to the Personal Information Protection and Electronic Documents Act." PIPEDA applies to organizations that collect, use, or disclose personal information in the course of commercial activities, as well as to federally regulated works, undertakings, and businesses (airlines, banks, telecommunications carriers) in respect of employee personal information.

The adequacy decision does not directly cover organizations subject only to provincial privacy laws. Three Canadian provinces — Quebec, British Columbia, and Alberta — have enacted substantially similar private-sector privacy legislation that can apply in place of PIPEDA for activities that are wholly within the province (intra-provincial commercial activity). However, cross-border transfers from those provinces to recipients outside Canada are governed by PIPEDA, not provincial law. The European Commission's 2024 review confirmed that "PIPEDA is currently subject to a legislative reform which could further strengthen privacy protections," and noted ongoing work to harmonize federal and provincial frameworks, but the adequacy finding itself is limited to PIPEDA.

Decision 2002/2/EC, Article 6, provides that the decision "may be amended at any time in the light of experience with its functioning or of changes in Canadian legislation, including measures recognising that a Canadian province has substantially similar legislation" (emphasis added). The Commission has not yet amended the decision to extend adequacy to any provincial law, though the Office of the Privacy Commissioner of Canada (OPC) has confirmed that cross-border transfers from Quebec, British Columbia, and Alberta fall within the adequacy decision because PIPEDA governs those transfers even when the domestic activity is provincially regulated.

What adequacy permits — no additional safeguards required for transfers to PIPEDA-covered recipients

Under Article 45(1) GDPR, a transfer of personal data to a third country for which the Commission has adopted an adequacy decision "may take place without any specific authorisation" from a supervisory authority and without the need for the data exporter to implement additional safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). For organizations in the EU and EEA, this means that transferring personal data to a Canadian bank, insurance company, e-commerce retailer, SaaS provider, or any other organization subject to PIPEDA is treated the same as transferring data to a recipient within the EU or another adequate jurisdiction.

The adequacy decision does not, however, override the GDPR's other substantive obligations. The EU data exporter must still have a lawful basis under Article 6 GDPR for the processing (consent, contract, legitimate interests, etc.), must comply with transparency obligations under Articles 13 and 14 GDPR (informing data subjects that their data will be transferred to Canada and identifying the recipient), and must comply with the GDPR's principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality under Article 5 GDPR. Adequacy eliminates the Chapter V transfer mechanism requirement; it does not exempt the transfer from the GDPR's general data protection obligations.

Periodic review requirement — at least every four years

Article 45(3) GDPR requires the Commission to "monitor on a continuous basis developments in third countries and international organisations" that could affect adequacy findings, and Article 45(4) GDPR mandates that the Commission "carry out a periodic review of the functioning of [adequacy] decisions . . . at least every four years" (emphasis added). The review assesses whether the third country "continues to ensure an adequate level of protection" in light of legal, regulatory, and enforcement developments since the last review or the original adequacy decision.

January 15, 2024 review outcome — adequacy reaffirmed

On January 15, 2024, the European Commission published Communication COM(2024) 7 final, entitled Report on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC, covering 11 adequacy decisions that predated the GDPR, including Canada's. The Commission concluded:

> "Based on the overall findings set out in the SWD, the Commission concludes that Canada continues to provide an adequate level of protection for personal data transferred from the EU to recipients subject to PIPEDA."

The Commission's accompanying Staff Working Document noted that PIPEDA has been strengthened through amendments since 2001, including the 2015 Digital Privacy Act, which introduced mandatory breach notification obligations (sections 10.1 to 10.3 of PIPEDA, effective November 1, 2018), enhanced consent requirements, and additional enforcement tools for the OPC. The Commission also highlighted that the OPC has issued extensive guidance clarifying key data protection requirements, including the concept of "sensitive personal information," which the OPC updated in August 2021 to align more closely with the GDPR's Article 9 special categories of personal data (health information, financial information, ethnic and racial origins, political opinions, genetic and biometric data, sex life or sexual orientation, and religious or philosophical beliefs).

The Commission's 2024 review did, however, issue a recommendation:

> "The Commission recommends enshrining some of the protections that have been developed at sub-legislative level in legislation to enhance legal certainty and consolidate these requirements."

This recommendation refers to the OPC's guidance documents on topics such as consent, sensitive personal information, breach notification, and cross-border transfers. The Commission noted that while the OPC's guidance is influential and has been cited by Canadian courts, it is not itself binding legislation, and the Commission encouraged Canada to codify key protections in statute to ensure they cannot be weakened without legislative amendment.

The Commission also noted that PIPEDA is "currently subject to a legislative reform" — a reference to Bill C-27, the Digital Charter Implementation Act, 2022, which was introduced in the House of Commons in June 2022 and remains under parliamentary review as of June 2, 2026. Bill C-27 would repeal PIPEDA and replace it with the Consumer Privacy Protection Act (CPPA), which includes expanded individual rights, new transparency obligations, enhanced enforcement powers for the OPC (including the power to issue binding orders and impose administrative monetary penalties up to CAD $25 million or 5% of global revenue), and a codified requirement for data protection impact assessments (DPIAs) for high-risk processing activities. The Commission's 2024 review acknowledged that passage of Bill C-27 could "further strengthen privacy protections, including in areas that are relevant for the adequacy finding."

Next review expected 2028

The OPC has publicly stated that adequacy decisions are reviewed "at least every four years" under the GDPR, and that "we expect another review in 2028." Organizations relying on the adequacy decision should monitor developments in Canadian privacy law (particularly the status of Bill C-27) and any public statements from the European Commission or the European Data Protection Board (EDPB) regarding the ongoing adequacy assessment. The Commission's 2024 review noted that it "intends to closely monitor future developments in Canada," particularly with respect to the legislative reform process and any changes to government access powers.

Limitations — law enforcement, national security, and onward transfers

The adequacy decision covers commercial transfers under PIPEDA. It does not cover transfers of personal data for law enforcement purposes under the EU's Law Enforcement Directive (Directive (EU) 2016/680, the "LED"). The LED governs the processing of personal data by competent authorities (police, prosecutors, courts) for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties. Article 36 LED requires that cross-border transfers to third countries for law enforcement purposes be based on an adequacy decision adopted specifically under the LED, or on alternative transfer mechanisms such as international agreements, legally binding instruments, or LED-compliant safeguards.

Canada does not have an adequacy decision under the LED. The European Commission has adopted LED adequacy decisions only for the United Kingdom (as of the Brexit transition) and has not extended LED adequacy to any other jurisdiction, including Canada. EU law enforcement authorities transferring personal data to Canadian law enforcement authorities (e.g., RCMP, provincial police, CBSA for immigration enforcement) must therefore rely on alternative transfer mechanisms under Article 36 LED, such as an international agreement (the EU-Canada Passenger Name Record (PNR) Agreement, signed in 2014 and in force since 2017, is an example of such a bilateral instrument for a specific category of law enforcement data transfers), or case-by-case adequacy assessments and safeguards.

Onward transfers from Canada to non-adequate third countries

When a Canadian organization covered by PIPEDA receives personal data from the EU under the adequacy decision and subsequently transfers that data onward to a third country that does not have an EU adequacy decision (e.g., the United States, India, the Philippines), the Canadian organization's onward transfer obligations are governed by PIPEDA, not the GDPR. PIPEDA does not prohibit onward transfers and does not impose adequacy requirements; instead, PIPEDA's accountability principle (Principle 4.1.3 of Schedule 1) requires the Canadian organization to ensure a "comparable level of protection" through contractual or other means, as described in the OPC's January 2009 Guidelines for Processing Personal Data Across Borders.

However, the EU data exporter retains obligations under the GDPR even after the data arrives in Canada. The GDPR does not permit an EU organization to "launder" data through an adequate jurisdiction to circumvent the GDPR's transfer safeguards. If the EU data exporter knows or should know that the Canadian recipient will re-transfer the data to a non-adequate third country (e.g., a U.S. cloud provider for hosting, an Indian service provider for customer support), the EU data exporter must assess whether the onward transfer is compatible with the GDPR's Chapter V requirements.

The EDPB has not issued formal guidance on the onward-transfer obligations of data controllers in adequate third countries, and the legal position is therefore unsettled. The conservative interpretation, particularly post-Schrems II (CJEU Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, judgment of July 16, 2020), is that if the EU data exporter knows the Canadian recipient will onward-transfer the data to the United States or another jurisdiction where government access laws may not meet GDPR standards (e.g., FISA Section 702, Executive Order 12333, the CLOUD Act), the EU data exporter should either:

• Contractually prohibit the Canadian recipient from onward-transferring the data to non-adequate jurisdictions without the EU exporter's prior written consent and a Chapter V transfer mechanism (SCCs, BCRs, derogations); or
• Implement SCCs between the EU exporter and the Canadian recipient, treating the Canadian recipient as an importer subject to GDPR-compliant transfer safeguards, even though Canada has adequacy, in order to govern the onward transfer chain and impose supplementary measures if necessary under the Schrems II framework.

In practice, many EU organizations transferring data to Canadian service providers that use U.S. sub-processors (cloud hosting, payment processing, analytics) now include EU Standard Contractual Clauses in their agreements with the Canadian recipient and require the Canadian recipient to flow down equivalent SCCs to any non-adequate sub-processors. This approach treats the Canadian recipient as having dual status: adequate for PIPEDA-governed activities, but contractually bound to GDPR-compliant transfer safeguards for any onward transfers outside Canada.

Practical takeaways for Canadian organizations receiving EU personal data

Canadian organizations that receive personal data from the EU under the adequacy decision should:

1. Verify PIPEDA coverage — confirm that the organization is subject to PIPEDA (engaged in commercial activity or a federally regulated work/undertaking) and that the transfer falls within the adequacy decision's scope;
2. Document the transfer — maintain records showing the legal basis for the transfer under GDPR (the EU exporter's responsibility) and the lawful basis for processing in Canada under PIPEDA (consent, contract, or another Schedule 1 ground);
3. Notify data subjects — comply with PIPEDA's transparency obligations (Principle 4.8, Openness) and, if the organization is also subject to the GDPR as a controller or processor (e.g., because it offers goods or services to EU data subjects or monitors their behavior under Article 3(2) GDPR), comply with the GDPR's Articles 13 and 14 transparency obligations;
4. Address onward transfers contractually — if the organization will transfer the EU personal data onward to a non-adequate third country, disclose that intention to the EU data exporter, obtain consent if required by the contract, and ensure contractual safeguards under PIPEDA Principle 4.1.3;
5. Monitor adequacy status — track developments in the EU's periodic review process, Canadian legislative reform (Bill C-27), and any EDPB guidance on adequacy and onward transfers;
6. Prepare for potential adequacy withdrawal — though the January 2024 review reaffirmed adequacy, the Commission's recommendation to codify sub-legislative protections and its ongoing monitoring of government access powers mean that Canadian organizations should have a contingency plan (SCCs, BCRs, or other Chapter V mechanisms) in case the Commission suspends or repeals the adequacy decision in a future review.

The adequacy decision provides a streamlined legal pathway for EU-to-Canada data flows, but it does not eliminate the need for careful legal analysis of the transfer's purpose, the data's sensitivity, and the obligations of both the EU exporter and the Canadian importer under their respective legal regimes.

Source: Commission Decision 2002/2/EC of 20 December 2001 on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act Source: European Commission Communication COM(2024) 7 final, Report on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC, January 15, 2024 Source: OPC, Issue sheets on the review of Alberta's PIPA, September 24, 2024