Let's assume I do business with organization X but I now want to deal with a competitor. I will have the right to tell organization X to transfer my data to organization Y, with whom I will be doing business going forward.
I can give you another example. In some cases, a privacy impact assessment will be required before a practice or program can be introduced. The regulation is creating a whole slew of new rights that do not exist in the Canadian legislation. I am going to speak frankly, if I may. The European Union has learned from its mistakes. In fact, Europe may have granted adequacy status somewhat randomly. Currently, the new regulation sets out stricter criteria, so it is necessary to align with European law.
Further to its review of Canadian law, the EU will study PIPEDA to determine whether it meets the desired standards for adequacy status. If the answer is no, it will have consequences for Canadian companies looking to receive information from European companies—and that includes something as simple as having a website that Europeans can access. Canadian companies will have to negotiate standard contractual clauses, which are very burdensome binding clauses approved by the European Commission, negotiate binding corporate rules, which are internal rules, or obtain individual consent, which is not easy to obtain in the case of every transaction.
Canada has adequacy status, while the U.S. does not. The Americans just negotiated the Privacy Shield for that, but the coverage is legal, not territorial. Mexico does not have it either. We have a competitive advantage that I don't think we want to lose.