Global M&A trends and risks
Powerful new forces shaping in the M&A landscape
You can withdraw your consent by clicking “manage cookies” and following the instructions shown.
Canada | Publication | September 27, 2021
On June 4, 2021, the European Commission issued an updated version of its Standard Contractual Clauses (the new SCCs), marking the first update since the coming into force of the General Data Protection Regulation. This update outlines some of the main changes, and what this means from a Canadian perspective.
The new SCCs replace the sets of SCCs that were previously adopted in 2010 (the old SCCs).
The SCCs are contractual clauses endorsed by the European Commission as an adequate transfer mechanism. Unless a country is granted an adequacy status by the EU, organizations wanting to share data outside of the EU need a valid transfer mechanism.
The SCCs are generally presented as an appendix to a Data Processing Agreement (DPA).
The new SCCs cover four types of possible arrangements between data controllers and processors and organizes them in modules. The controller is generally the owner of the data and decides the purpose of the data processing. The processor can be a service provider that is contracted to process the data on behalf of the controller.
Modules 1 and 2 were already covered under the old SCCs, while modules 3 and 4 are new additions. This use of modules creates more complete SCCs that allow for a broader variety of scenarios.
Among the changes, we note the following key modifications:
Canada has maintained an adequacy status with the EU since 2001 for data subjects falling under the Personal Information Protection and Electronic Documents Act (PIPEDA). Under this adequacy status, personal data can flow freely from the EU to Canada without needing additional safeguards. This means a Canadian organization, if covered by PIPEDA, need not enter into the SCCs when entering into a DPA with a European organization.
The SCCs would, however, be required if the Canadian processor is located in Alberta, British Columbia or Quebec, if the data transferred pertains to employees that are not covered by PIPEDA, or if a Canadian processor opts to use a foreign non-Canadian sub-processor when providing services to a European controller.
EU organizations may also insist on implementing the SCCs for all data-sharing contracts regardless of adequacy status of the receiving country for added protection. This is due in part to the adequacy status of the United States, named Privacy Shield, becoming invalid in 2020 through the Schrems II decision.
As such, Canadian organizations should not ignore the new SCCs based on Canada’s adequacy status alone. Organizations should read the new SCCs closely, and assess any technical or administrative gaps within the organization that currently impede full compliance with the requirements listed in the SCCs. They may also want to be ready with updated contracts, policies and protocols, as necessary.
Nina Varumo is a freelance portrait and documentary photographer based in Stockholm. A recent project of hers Kvinnor till sjöss (‘Women at sea’) is on ongoing photo series highlighting the working life of female seafarers in order to change the stereotypical image of what and who is a seafarer.
Companies have been publicly reporting on their financial performance for over a hundred years. However, they are increasingly having to make public non-financial disclosures relating to sustainability and environmental, social and governance (ESG) matters as a result of rules, laws and regulations issued by stock exchanges, governments and regulators worldwide.
© Norton Rose Fulbright LLP 2023