Today’s decision by the European Court of Justice (Schrems II) invalidated the US Privacy Shield as a basis for privacy protections permitting the transfer of personal data outside of the EU. The decision has many implications for international commerce, including businesses operating in Canada.
One result is that Canada may become a preferred choice for data storage and processing in North America.
As a consequence of the decision, transferring personal data to the US will be much more challenging. The Privacy Shield was established, at least in part, to provide security assurances to protect the personal data in the US. The Privacy Shield framework was used to establish adequate protection for transfers to the US. Since the ECJ determined it does not sufficiently protect the rights of EU citizens, other protections are required, such as Binding Corporate Rules (BCRs). Having worked on setting up BCRs, which requires the establishment and documentation of detailed privacy and security standards, we can say they are much more cumbersome than standard contractual clauses.
The General Data Protection Regulation (GDPR) mandates that the transfer of personal data to a third country may only take place if the third country in question ensures an adequate level of data protection. According to the GDPR, the European Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection.
The European Commission determined in 2001 that Canada provides an “adequate” level of protection. The US did not have “adequacy status,” so it established “Safe Harbour” and then the Privacy Shield. In this decision, the ECJ has held that, unless there is a valid Commission adequacy decision (such as for Canada), EU supervisory authorities are required to suspend or prohibit a transfer of personal data to third countries like the US where standard data protection clauses are not or cannot be complied with in that country and where the protection of the data transferred that is required by EU law cannot be ensured by other means.
Organizations should consider taking advantage of Canada’s “adequacy.” In light of Schrems II, personal data transfers and processing from the EU to the US are in doubt, or at least will be more complicated. Canadian business and multinational businesses with Canadian operations, may look to use Canada as a data processing centre, or shift operations which require the transfer of personal data from the EU to Canadian centres. A focus on business in Canada may be a good strategy to mitigate against a suspension of transfers to the US so as to not negatively affect operations, or avoid having to take other significant steps to comply with GDPR data protection requirements. For many organizations, particularly small and medium sized businesses, transferring personal data to the US may become impractical without the Privacy Shield.
If we can be of assistance in discussing the implications of Schrems II, a review of privacy practices and data transfer agreements, please contact a member of our Privacy & Data Management Group.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.