Certain countries have a complex relationship with GDPR due to local laws

Warning! Pay attention to exceptions

Pay extra attention to local laws which do not guarantee appropriate protections. Asses for additional complexity and evaluate if requirements similar to third countries apply.

As with some laws, GDPR and adequacy rules have created certain complex rules. Therefore, it might be necessary to look at specific countries in detail regarding adequacy ruling.


Canada is a prime example. All provinces benefit from a significant degree of autonomy from Canada's federal system.

Why does this matter in the context of GDPR?

The ruling by European Commission states that Canada's Personal Information Protection and Electronic Documents Act, PIPEDA, provides adequate personal data protection. The problem is that PIPEDA binds not all provinces.

Alberta, British Columbia, and Quebec benefit from a "substantial similarity" exemption to PIPEDA in commercial activities. Unfortunately, this puts these provinces outside of federal jurisdiction regarding privacy and personal data protection.

By not falling under PIPEDA, these three provinces are not meeting the European Commission's adequacy decision in every scenario.

The International Association of Privacy Professionals article is much more detailed and thorough in the description of the issue.

TL;DR: Yes, Canada is an adequate country. No, not every commercial operation, in every province will meet the adequacy criteria.