Declaration of Cooperation (Commission nationale de l’informatique et des libertés)

Declaration of Cooperation

Between

Commission nationale de l’informatique et des libertés (CNIL)

and

The Privacy Commissioner of Canada

---

This Declaration of Cooperation (“Declaration”), dated on December 10, 2025, is hereby entered into

between:

Commission nationale de l’informatique et des libertés (CNIL), the independent data protection authority in France, having its offices at 3 place de Fontenoy, 75007, Paris, France;

AND

The Privacy Commissioner of Canada (PCC), the independent federal data protection authority in Canada, with head offices at 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada.

---

The CNIL and the PCC may be referred to individually as the “Party” and collectively as the “Parties”.

RECOGNIZING that the Parties have similar functions and duties with respect to the protection of personal information in the private sector in their respective countries and that they act with complete independence in performing their tasks and exercising their powers;

RECOGNIZING the nature of the modern global economy, the increase in circulation and exchange of personal data across borders, the increasing complexity of information technologies and the need to deepen the dialogue between data protection authorities;

RECOGNIZING that Canada and France maintain strong cultural and economic ties, rooted in a shared history and common language;

HIGHLIGHTING that Canada has, since December 2001, benefitted from an adequacy decision by the European Commission recognizing that Canada provides an adequate level of protection for personal data transferred from the European Economic Area to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA);

RECOGNIZING that section 23.1 of PIPEDA authorizes the PCC to enter into arrangements to promote cooperation with counterparts in other jurisdictions, including for the purpose of sharing knowledge and expertise as well as identifying issues of mutual interest relating to the protection of personal information;

RECOGNIZING that according to article 50 of the General Data Protection Regulation (“GDPR”) the CNIL can, in relation to counterparts in third countries such as Canada, take steps to further international cooperation, including by the sharing of knowledge and expertise;

RECOGNIZING the intent of the Parties to deepen their existing relations, to promote exchange of information, experience, and best practices in order to better protect individuals within the scope of the applicable data protection and privacy laws of France and Canada;

DECLARE THE FOLLOWING:

1. Background, Objectives and Scope

• 1.1. The Parties hereby agree to establish a general framework of cooperation, depending on their available resources and annual priorities, in their common interest to:
  1. Facilitate the realisation of joint internal research and education projects related to new technologies and data protection issues.
  2. Share best practices, knowledge and information on privacy and data protection policies, on education and training programmes and on procedures and methods used by the Parties in the course of their investigations.
  3. Share the Parties’ annual enforcement plans and annual activity reports following their public announcement.
  4. Consider organising a training workshop on topics to be defined by the Parties such as on complaint and sanction procedures.
  5. Facilitate exchange of staff members based on specific conditions to be established by the Parties on a case-by case basis.
  6. Convene bilateral meetings regularly or as mutually decided by the Parties.
  7. Jointly identify any other areas or initiatives for cooperation as mutually decided by the Parties.

2. Role and functions of the CNIL

• 2.1. The CNIL is an independent administrative authority. It is the supervisory authority within the meaning and for the application of the General Data Protection Regulation (GDPR). It carries out the tasks set out in article 8 of the Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, notably: informing and protecting rights; supporting compliance and advising; anticipating and innovating; and carrying out investigations and sanctioning.

3. Role and functions of the Privacy Commissioner

• 3.1. The Privacy Commissioner is appointed under the Privacy Act, R.S.C. 1985, C. P-21, and is an independent Agent of Parliament.
• 3.2. The Privacy Commissioner has a broad range of statutory duties, including overseeing compliance with PIPEDA, Canada’s federal private-sector privacy law.
• 3.3. The Privacy Commissioner’s powers under PIPEDA include conducting investigations in respect of complaints, issuing reports of findings and recommendations; and appearing before the Federal Courts in applications under PIPEDA.
• 3.4. The Privacy Commissioner is also required to promote, by any means that they consider appropriate, the purposes of Part 1 of PIPEDA, including by:
  1. developing and conducting information programs to foster public understanding and recognition of the purposes of Part 1 of PIPEDA;
  2. undertaking and publishing research related to the protection of personal information; and
  3. encouraging organisations to develop detailed policies and practices, including organisational codes of practice.

4. No Sharing of Personal Data (Personal Information)

• 4.1. The Parties do not intend that this Declaration will cover any sharing of personal data (personal information) by the Parties.
• 4.2. If the Parties wish to share personal data (personal information), each Party will ensure compliance with its own Applicable Privacy Laws, which may require the Parties to enter into a further written agreement governing the sharing of such personal data.

5. Confidentiality

• 5.1. Each Party will keep confidential all information received or created in the course of cooperating in accordance with the terms of this Declaration, to the extent consistent with the laws and regulations in force in each Party’s country. The obligation of confidentiality will apply to all persons who are or have been employed by the Parties, involved in the governance of the Parties or otherwise associated with the Parties.

6. Use of Information and Documents

• 6.1. The Parties may use information, including unsolicited information, received or created in the course of cooperation only as permitted in the request. If any Party intends to use information received or created in the course of cooperation for any purpose other than those stated in the request, it will obtain the prior written and specific consent of the other Party.

7. Non-binding Character of the Declaration and Limitations on Assistance

• 7.1. This Declaration does not create any binding international legal obligations, nor does it modify or supersede any laws, regulations or regulatory requirements in France or Canada. This Declaration does not give rise to a right on the part of the Parties or other governmental or non-governmental entity or any private person to challenge, directly or indirectly, the degree or manner of cooperation by the Parties.
• 7.2. No Party is obligated under this Declaration to cooperate with the other Party in any particular circumstance, and either Party may deny requests for information and assistance for any reason.
• 7.3. Either Party may require that any cooperation be subject to certain limitations or conditions having been agreed upon by the Parties, for example, in order to avoid breaching applicable legal requirements. Any such limitations or conditions will be agreed upon by the Parties on a case-by-case basis.

8. Revision of the Declaration

• 8.1. The Parties may consult and revise the terms of this Declaration in the event of changes in the laws, regulations or practices affecting the operation of this Declaration, or if the Parties themselves wish to modify the terms of their cooperation.
• 8.2. Any amendments to this Declaration will be made in writing and signed by each Party.

9. Designated Primary Contacts

• 9.1. Each Party will designate a member of their staff to serve as Primary Contact for the purpose of requests and communications under this Declaration.
• 9.2. The Parties mutually agree on communicating the name and email address of a Primary Contact for all matters under this Declaration.
• 9.3. The Parties also commit to update the name and email address of the Primary Contact as soon as any change occurs.

10. Entry into Effect and Termination

• 10.1. This Declaration will come into force on the date of its signature by both Parties.
• 10.2. This Declaration may be terminated by either Party at any time upon giving at least thirty days prior written notice to the other Party.
• 10.3. If either Party gives such notice, this Declaration will continue to have effect with respect to all requests made before the effective date of notification.
• 10.4. The obligation of confidentiality in section 5 will remain in force even after the termination of the Declaration.

Signed in duplicate, in the French and English languages, each version being equally authentic.

Signed on December 10, 2025,