Any Impact of the recent EU’s privacy safe harbor decision for Canada?
On October 6, 2015, the Court of Justice of the European Union (“CJEU”) released a judgment invalidating an important Commission Decision 2000/520 which was validating the EU-US Safe Harbour Principles.
Why is this an important issue?
Pursuant to Directive 95/46/EC, EU Member States are required to provide that the transfer of personal data from Europe to a third country may take place only if the third country in question ensures an adequate level of protection. Until recently, any transfer of personal data from the EU to the U.S. were covered by Commission Decision 2000/520 which had found that transfers from the EU to the U.S. provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
Are Canadian clients businesses impacted by this recent European Commission’s decision on the EU-US privacy safe harbor?
The short answer is no (for now), unless…
While this CJEU’s judgment mostly impacts signatories of the Safe Harbour Principles, it may also impact Canadian multinationals which have either relied on the Safe Harbour Principles to transfer data from their EU to U.S. operations, Canadian businesses that host EU data with service providers with operations in the U.S., or who outsource services to U.S. service providers for customers resident in the EU. Bottom line, unless an organization is involved in any such operations, it may not currently be impacted by this CJEU’s decision.
Are Canadian privacy laws “adequate” according to the EU?
The short answer is yes (for now)…
Many Canadian organizations are hosting and processing personal data transferred from the EU in Canada. This means that any personal data transferred from the EU would be governed under applicable Canadian private sector data protection laws such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial laws pertaining to the collection, use and disclosure of personal information.
In 2001, the EU Commission issued 2002/2/EC: Commission Decision of 20 December 2001 finding that PIPEDA is considered as providing an adequate level of protection for personal data transferred from the EU to Canada. In light of this, many Canadian businesses which is acting in compliance with PIPEDA at all times when processing personal data, are not impacted by this recent CJEU’s judgment.
This being said, the Article 29 WP gave a hard time to Quebec last year. On June 4, 2014, the Article 29 Working Party released its Opinion 7/2014 in which it provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Quebec Act on the Protection of Personal Information in the Private Sector ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC. In its Opinion, the Article 29WP recommended that the European Commission not adopt a decision on the adequacy of the Quebec data protection law until certain improvements are made to the Quebec law.
I was extremely surprised with this Opinion given that the Quebec law is probably the most stringent in Canada – and had provided an interview to Nymity on this issue.
What’s next?
Companies which are impacted by this EU decision can use standard contract clauses (transfer agreements) that detail the rules for getting consent to transfer data. They can also consider Corporate Binding Rules. The U.S. and Europe will be establishing a new agreement, but until then, data transfers will be a much more complex process.
Want to know more?
To listen to the IAPP Audio Conference—A Future With No U.S.-EU Safe Harbor?, click here.
This content has been updated on November 7, 2015 at 14 h 37 min.