The EU-US Privacy Shield announced early in February should be a call to arms for Canadian businesses that transfer data directly from the EU to the US or that receive data anywhere that they ultimately transfer to the US.
“The Privacy Shield is bringing us one step closer to an EU re-evaluation of the adequacy of Canada’s privacy regimes,” says David Young of David Young Law in Toronto. “So Canadian companies should be examining the Shield to see how we can apply its principles in the Canadian context.”
The Privacy Shield will replace the Safe Harbour Agreement between the EU and the US that the European Court of Justice (ECJ) invalidated last year in Schrems v. Data Protection Commissioner. The court ruled that a foreign privacy protection regime had to be “essentially equivalent” to the EU regime to qualify for the safe harbour provisions that exempted its nationals from the EU’s restrictions on data transfer. But the US, which lacks a comprehensive privacy protection regime, did not qualify primarily because national security, public interest and law enforcement policies there were so overriding as to deprive EU citizens of the privacy rights guaranteed by their own laws. Compounding the problem was the fact that US law provided no redress for adversely affected EU citizens.
Like the original Safe Harbour Agreement, then, the Privacy Shield is intended to protect the personal information of European Union citizens in accordance with EU standards in cases where the information is sent abroad for commercial purposes. To comply, US businesses will need to commit to certain obligations regarding the processing and protection of personal information. The Department of Commerce and the Federal Trade Commission will enforce these commitments.
As well, the US government has given assurances that personal information of EU citizens that is transferred to the US will not be subject to mass surveillance programs and that its use for national security and related purposes will be subject to certain safeguards.
The Shield also allows EU citizens who feel their rights have been breached to channel complaints to the company involved. European data protection authorities may also refer complaints to the DOC and the FTC. Companies will have deadlines to reply to the complaints and unresolved complaints will be dealt with under certain free-of-charge dispute resolution mechanisms. Complaints about access by national intelligence authorities will be addressed to a dedicated US-based ombudsperson.
“What the Shield has done is articulate some very specific principles that the EU wants to see in place as part of any safe harbour agreements,” Young says. “They’ll be particularly interested in concrete commitments from countries whose privacy regimes have the same issues that arose in Schrems.”
Canada may be one of these countries.
“What a lot of people are concerned about is that if the Schrems type of analysis is applied to our federal legislation and to a lesser extent our existing provincial legislation, the adequacy of our privacy laws could be in question,” says Mark Hayes of Hayes eLaw LLP, a privacy, IP and technology boutique in Toronto.
Although the European Commission determined in 2001 that Canada’s Personal Information Protection and Electronic Documents Act provides “adequate protection” for data transferred from the EU, it could revisit that conclusion. Indeed, as Hayes points out, the ECJ did note that the level of protection ensured by countries outside the EU is liable to change and that “it is incumbent upon the [Data Protection] Commissioner” to periodically check whether an earlier adequacy decision was still justified.
The potential difficulty for Canada is that even a cursory check would reveal that our national security agencies have, broadly speaking, much the same authority as their US counterparts. Last year, a European Parliament committee produced a report on global cybersurveillance capabilities that concluded the systems were rough equivalents — and that was before the Privacy Shield offered Europeans the comfort of an ombudsperson in matters of national security and a dispute resolution mechanism for other privacy complaints.
Worst of all, perhaps, Canadian law does not even prohibit the transfer of data to countries lacking strong privacy regimes.
“All we require is contractual arrangements ensuring that Canadian restrictions will be largely honoured by the entity that is receiving the data,” Hayes says.
The bright side is that the Canadian regime is generally held in very high regard by international authorities. So we won’t be the first ones the Europeans look at.
That could be little comfort for the unprepared, however, when the EU – perhaps in the afterglow (or aftermath?) of CETA’s signing – decides to take a closer look at its new best trading friend.