[JackWritesCode]

1. I understand the piece about "stamp" of adequacy. But when the Schrems II ruling happened, the world learned that we cannot always rely on "stamps" and need to look into the laws. At this moment in time, the European Commission says that Canada has adequacy ruling as a whole and there is no note about it not apply to British Columbia.

So my question to you is: Which part of the Personal Information Protection Act in BC would undermine the EU's adequacy decision towards BC? The reason I'm pushing on this question is because the "stamp" occurs for a reason. Please let me know where the PIPA would lead to the European Commission labelling BC as inadequate.

2. We're mixing things up here with Amazon, Google and Azure. Those companies are subject to FISA 702[1] and EO12333[2]. We are not subject to these surveillance laws here in Canada. I've spoken at length about this before, about how the US government could compel one of these companies to secretly spy on people using their EU infrastructure. So our company is not in the same position.

I'll wait for your specifics around the PIPA.

[1] https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla... [2] https://en.wikipedia.org/wiki/Executive_Order_12333

[openplatypus]

Disclaimer: I am not a Privacy Lawyer, I am basing what I wrote here on the text of IAPP. I was looking for a reviewed PIPEDA adequacy decision. I saw references about it coming in 2020, then 2021, then 2022. Can't really find anything specific.

RE: 1

I am looking at this document: https://www.bclaws.gov.bc.ca/civix/document/id/complete/stat...

I assume this is up-to-date.

I will take one example: the Right to be forgotten. I don't see provision that satisfies the right to be forgotten: https://gdpr.eu/right-to-be-forgotten/

You seem to have a more in-depth understanding of PIPA. Can you point me towards a similar requirement in PIPA?

Looking at C-27, it appears that even PIPEDA is playing catch-up. But that was CPPA.

Btw. I am not suggesting Adequacy is always decided on privacy laws being EXACTLY like GDPR. Given the only reference to adequacy I found thus far was based on a 2001 review, I am not sure what would be appropriate criteria here beyond access to "an appropriate" level of legal protection.

The text in IAPP article refers to the adequacy of PIPEDA. Not Canada. It is actually interesting that there is no adequacy with Canada, but only with Canadian PIPEDA.

RE 2:

Right, I was referring to the fact that customers of Fathom sign contract/get into agreement with a company in British Columbia under its laws. It is mostly irrelevant where their CTO resides (it would be relevant if you resided in a non-adequate country, as your privacy policy would have to account for relevant data transfers).

[JackWritesCode]

Fathom's script forgets everybody by default, it's literally built into the tech. No EU personal data is touching Canada.

The background of Schrems II was that the US government can compel US companies to track foreign nationals and it would be lawful under US law. This is where the argument of "company in X under Y laws" comes into play. For example, Amazon is a US company. An EU subsidiary is still subject to it's parents control. If that parent is a US company, it's subject to US surveillance laws. Hello Schrems II.

So I'm not fully following why we're having a discussion around processing happening in Canada when personal data (IP Address) hits our EU Isolation infrastructure.

If you have any sources you can cite where the European Commission states BC as an exemption to Canada's adequacy ruling, please throw it back to me. I've not seen that.