(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and in respect of given conditions. The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has issued guidance on the making of such assessments(2).
(8) Canada formally adhered to the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on June 29, 1984. Canada was among the countries that supported the United Nations Guidelines Concerning Computerized Personal Data Files which were adopted by the General Assembly on 14 December 1990.
(10) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(11) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion on the level of protection provided by the Canadian Act, which have been taken into account in the preparation of this Decision(4).
For the purposes of Article 25(2) of Directive 95/46/EC, Canada is considered as providing an adequate level of protection for personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documents Act ("the Canadian Act").
This Decision concerns only the adequacy of protection provided in Canada by the Canadian Act with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Canada whose activities fall under the scope of the Canadian Act in order to protect individuals with regard to the processing of their personal data in cases where:
(1) OJ L 281, 23.11.1995, p. 31.
/n
(2) WP 12: Transfers of personal data to third countries: applying Articles 25 and 26 of the EU data protection directive, adopted by the Working Party on 24 July 1998, available at http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wpdocs_98.htm
/n
(3) Electronically published (paper and web) versions of the Act are available at http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6_cover-E.html and http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6_cover-F.html. Printed versions are available at Public Works and Government Services Canada - Publishing, Ottawa, Canada K1A 0S9.
/n
(4) Opinion 2/2001 on the adequacy of the Canadian Personal Information and Electronic Documents Act - WP 39 of 26 January 2001 available at http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm