After months of eager anticipation, the Court of Justice of the European Union (CJEU) delivered its decision in Schrems II, the latest chapter in the ongoing tug-of-war between US laws that demand surveillance and EU data protection laws that require privacy.
The case assessed the tolerability of Facebook transferring personal information from the EU to the US, particularly in view of the vast scope and reach of America’s pervasive surveillance apparatus.
The Court established that data may be processed by authorities in a non-EU country “for the purposes of public security, defence and State security” but that “this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.”
The CJEI also held that, “data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR”.
The CJEU decision affects more than 5,300 American organizations and a $7.1 trillion transatlantic economic relationship between the EU and the US. More notably, it underscores the global reach of the GDPR — including for Canadian organizations.
The Schrems II decision increases the urgency for Canada to modernize its privacy laws both because of the state of Canada’s privacy laws, and its surveillance and information-sharing regime.
The CJEU’s message — that the free flow of personal data can take place only to countries that provide adequate protection for EU citizens’ rights over their own data, and its confirmation that the US National Security Administration’s surveillance activities “are not subject to judicial oversight and are not justiciable” — is a clarion call for Canadian lawmakers and EU organizations alike.
Prudent EU organizations must bear in mind the awkward reality that Canada is a signatory to many international free trade agreements, and a member of the Five Eyes alliance. Those mechanisms permit — and often require — require significant cross-border sharing of personal information, often into the United States and other jurisdictions where privacy laws are less stringent than in Canada or the EU, and where individuals have no right of recourse — which is contrary to the GDPR.
Despite Canada’s inclination toward international information-sharing, the EU granted “adequacy status” in 2001 (and reaffirmed it in 2006), recognizing that the Personal Information Protection and Electronic Documents Act (PIPEDA) offers a level of data protection equivalent to that provided to residents in the EU, where privacy is considered a human right.
By contrast, organizations in the EU wishing to transfer personal information to the US (which has not been granted adequacy status) relied on the Privacy Shield Framework, a mechanism in effect since 2015 (when its predecessor Safe Harbour was declared invalid). Both mechanisms were intended to facilitate the transfer of personal information from the EU to the United States (where privacy is often viewed as an impediment to commerce and innovation).
That all changed with the Schrems II decision, which immediately invalidated Privacy Shield and threatened Canada’s preferred “adequacy status”.
In the decades since PIPEDA came into force, as privacy advocates and Commissioners repeatedly implored the Canadian government to update PIPEDA, lawmakers tweaked but did not see fit to substantively update or strengthen PIPEDA. As a result, the law — crafted before smartphones existed — is inadequate to address or limit the use (by governments and companies) of biometrics, facial recognition, artificial intelligence, and other privacy-invasive “smart” technologies that were science fiction when PIPEDA was drafted.
The CJEU’s recent Schrems II decision compounded the urgency for Canada to substantively modernizing its privacy and access laws and put the country’s adequacy status in greater jeopardy than it was after the GDPR took effect in May of 2018.
In June of 2018, the Government of Canada committed to reforming PIPEDA. Also in 2018, when the federal government officially launched the National Digital and Data Consultations, it committed to reforming PIPEDA and “to examine the viability of certain changes to PIPEDA to ensure that it continues to meet its stated purpose of maintaining trust and confidence in the marketplace.”
Any further languor in implementing needed legislative reform risks wide-ranging and long-lasting economic and commercial trade implications that Canada (and its political apparatus) can little afford.
What about Standard Contractual Clauses?
In addition to invalidating the Privacy Shield data transfer mechanism, the Schrems II decision also called into question the effectiveness of Standard Contractual Clause (SCC) in safeguarding EU residents’ privacy. SCCs may still be used, but EU data controllers must now determine, on a case by case basis, if the personal information they send outside the EU will be able to be adequately safeguarded in the destination countries.
“…In those circumstances, the Court specifies that the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”
In practical terms, it means that EU companies willing to transfer personal data to “data importers” in other countries will now have to ascertain if the legal regime of the receiving country undermines the data importer’s ability to adequately protect personal data, or if things such as entrenched surveillance programs present a significant privacy risk. (Spoiler alert: they do.)
Having well-worded contracts, SOC2 and ISO27001 certification are certainly important for data importers to be able to reassure EU data controllers about data governance practices. In reality, though, none of those measures (individually or as a group) is enough to override the invasive and disproportionate privacy risk posed by a nation’s pervasive surveillance programs. And even with all of those mechanisms in place, if an EU country’s Data Protection Authority concludes that the risk to personal information would be too great in the destination country, no contract will be enough to overcome that impediment.
What to do?
Using technologies such as reliable VPNs and end-to-end encryption is important for all organizations, regardless of the Schrems II decision. Unfortunately, even technological safeguards offer only limited protection, thanks to the fervent efforts of democratic and autocratic governments to require encryption backdoors, and the success that companies such as Celebrite have had in breaking strong encryption to assist governments and law enforcement.
Relying on consent to facilitate the transfer of personal information would be equally problematic since consent would have to be obtained from each person before their information could be transmitted to a “data importer” in another country. The operational data management challenges of that approach would be a burden that could crush even the most robust of organizations.
The only viable option is for the Government of Canada to promptly implement the unwavering advice it has received from privacy advocates, the Privacy ad Access Council of Canada and other governance bodies, and the country’s many Information and Privacy Commissioners: Update PIPEDA to recognize privacy as a fundamental human right and to meet or exceed the GDPR’s data protection standards.
Modernizing Canada’s privacy laws would facilitate international commerce and allow businesses to continue to transmit personal information across borders; and that would, in turn, improve Canada’s fortunes and the trust Canadians have in their government, economy, and public sector.