On 16 July 2020 the Court of Justice of the European Union (CJEU) decision (Schrems II) sent a shockwave through the privacy, tech and business communities with its determination that the Privacy Shield is no longer a valid basis for transferring EU personal data to the US. Though focused on the US, this decision has the potential to impact Canadian businesses in a number of ways.
We will not reiterate what has already been described in numerous articles available through the IAPP about the decision itself, its history and lead-up; an excellent Canadian-oriented perspective is provided by Colin Bennett here. For what Canadian companies need to do about it, some background about Canada and its adequacy determination is needed. We will be developing some further articles to address Canadian concerns and provide practical tips, and we hope you will follow along with us.
The Limits of Adequacy
Canada’s adequacy determination in Commission Decision 2002/2/EC was limited to data that was under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). This means organizations that: (1) fall under the federal jurisdiction, such as banks, airlines, and telecommunications: (2) works declared to be federal works or undertakings: and finally (3) commercial activities, whether under federal or provincial law, involving the collection, use or disclosure of personal information and where a province has not passed substantially similar legislation. Note, that employee data, other than those organizations falling under (1) and (2) of PIPEDA’s ambit, is therefore not included in the adequacy determination.
To date, Alberta, British Columbia, and Quebec have privacy legislation that takes commercial activities in those provinces out of the federal jurisdiction through the ‘substantial similarity’ exemption to PIPEDA. Federal privacy law defers to provincial law if a province meets the substantial similarity test, providing a baseline of privacy regulation across Canada. This division of authority is important, because for provinces recognized as substantially similar, their laws have not been given the stamp of ‘adequacy.’ The Commission Decision however explicitly calls out that ‘substantial similarity’ exclusion only applies to processing activities within the province in question. Once processing involves another province or country, PIPEDA will apply.
Employment data transfers in cases falling under (3) above, should always have been done pursuant to another international data transfer mechanism, such as Standard Contractual Clauses (SCCs), rather that adequacy because as long as the data remains within the province, it will be under the exclusive jurisdiction of that province, not PIPEDA, and therefore cannot benefit from the adequacy decision. Many European lawyers are quite aware of this fine point though many in Canada have been surprised by the distinction. What was anticipated in the original EU decision would be a process by which Canadian federal recognition of substantial similarity would lead to an adequacy determination which would address these gaps in adequacy; this process was never actually developed.
The consequence is that a careful review is required to determine if adequacy applies to the personal data that a controller or processor will be processing in Canada. If it does not, an SCC is required; and this then requires the same kind of risk-based analysis that our US counterparts are now undertaking.
There are some fundamental differences between that risk assessment in the US and that in Canada. This will be subject of a future article, but in short, while Canada is a member of the “Five Eyes,” there are different legal redress mechanisms, Supreme Court of Canada decisions, and other considerations which may make the risk considerably lower than equivalent transfers to the US.
Impacts on Canadian Data Flows
The impact for Canada lies in three main areas:
- Companies that rely on Standard Contractual Clauses (SCCs) rather than Canada’s adequacy determination, to process data of European residents either as a data controller or processor must immediately undertake a formal risk assessment that addresses the risk associated with transfer of the personal data being processed, to Canada. The nature of that risk assessment and what companies can rely upon, as mentioned, will be subject of an article in its own right. However, documenting this risk analysis, as well as identifying and implementing appropriate risk mitigations, is essential to preserving those data transfers; see this interview with Abigail expanding on this assessment.
- Canadian companies that relied, indirectly, on Privacy Shield certification to process Europeans’ data in the US: The Privacy Shield determination solely applied to cover EU to US data transfers. Perhaps hopefully, some Canadian entities may have relied on their parent’s or subsidiaries’ or even processors’ Privacy Shield certification to address onward transfers to the US, in lieu of a formal agreement. As Privacy Shield is obviously no longer valid, these companies clearly must repair this misapprehension.
- Canadian companies that rely on service providers, entities or cloud services based in the US or other third countries, to process EU personal data (“onward transfers”): While the Schrems II decision does not attack or undermine current adequacy determinations, onward transfers have been always been a sticking point for the EU in relation to Canadian adequacy, based on the concern that onward transfers from Canada to the US or elsewhere are not subject to the same restrictions as they are when made directly from the EU. Canadian companies need to ensure they have undertaken the appropriate risk analysis, and documented and put in place SCCs or their equivalent, whether relying on adequacy or not. This applies whether the transfer is made to the US or any other non-adequate country. GDPR requirements follow the data: a Canadian controller must ensure the processing can continue to comply with GDPR ‘down the chain’, regardless of where the data is transferred. And a Canadian processor’s duty to process the personal data only on the controller’s instructions extends to any international data transfers. Canadian companies relying on US sub-processors should expect a call in the near term.
Canadian accountability principles require (as recently reinforced by the Equifax decision) some formality around transfers out of Canada of Canadians’ personal information. (It is arguable that the Equifax decision, rather than being one explained by consent principles, is really about accountability and the need to formally ensure that a data controller (to use EU parlance) remains in effective control over data processing activities by its processor). Complying with PIPEDA’s accountability principles then can be part-and-parcel of addressing the challenges arising from Schrems II in relation to onward transfers.
So to summarize needed actions by Canadian companies:
- If you are processing data as controller, or as a processor for a client with EU personal data, and relying on onward transfers, first do a risk assessment; and then assuming the risks are addressable, put in place SCCs between yourself and any organization doing processing for you, if in a non-adequate country;
- If you are relying on adequacy for transfers from the EU to Canada, be sure you are correct in doing so; and if you cannot rely on adequacy, again, conduct a risk assessment and document the transfer with an SCC.
Some further action steps for Canadian companies which we will also address in future articles. We should not rest on our adequacy laurels. Be aware that Canada, as well as all other countries in the ‘league of the adequate’ will have their adequacy determinations reviewed by 2022. We can likely anticipate this fall hearing from the EU concerning Canada’s adequacy status
To avoid the potential for disruption as our friends in the US are experiencing, it is important to consider what fall-backs your organization would rely upon to ensure that data transfers from the EU are not disrupted, as we have not been good at updating our privacy legislation quickly. Canadian companies need to consider how to switch to SCCs, or find alternative mechanisms. This is not going to be easy or quick, and so planning now is essential.
We also need to address privacy reform. Enlightened self-interest would dictate that Canadian businesses press our governments to act on privacy reform – for our own sakes, certainly first as Canada’s needs should certainly drive our discussion – but also to preserve Canada’s trade relationships with the EU, which in these uncertain times, is more important than ever.