European Union data protection laws prohibit the transfer of personal information to non-member countries unless they provide adequate protection for that information. Canada is deemed to be a country that provides adequate privacy protection, based on its Personal Information Protection and Electronic Documents Act (PIPEDA).
The US does not have federal legislation comparable to PIPEDA or EU laws, so the US government and the European Commission negotiated a safe-harbour framework of principles to permit US-based organizations subject to Federal Trade Commission or Department of Transportation jurisdiction to self-certify that they provided such protection for information transferred from the EU. In 2000, the European Commission declared that organizations that adhered to the safe-harbour principles adequately protected personal information and the framework has since been widely used to facilitate transfers from EU countries to the US.
In early October 2015, the EU Court of Justice struck down the European Commission’s decision. The court found that the decision did not find that the US as a country ensures an adequate level of protection for personal information and that the safe-harbour principles apply only to certain organizations that choose to adhere to them. Governmental authorities could override the protections by operation of national security laws, without sufficient oversight to ensure the protection of the privacy rights of EU citizens under EU laws.
The safe-harbour principles largely mirror the principles set out in the National Standard of Canada Model Code for the Protection of Personal Information, which is incorporated into schedule 1 of PIPEDA. Those principles include requirements to provide individuals with notice of the purpose of collecting personal information and the option to decline collection and disclosure of information, and obligations to safeguard the information, to ensure information is only disclosed to third parties with adequate safeguards in place, and to allow individuals to access and correct their information. However, Canada differs from the US in that PIPEDA is a law of general application to all organizations engaged in commercial activity and the act contains narrow, precise exceptions for disclosure of personal information without individuals’ consent to governmental agencies or other third parties.
Multinational corporations with operations in Canada may find in-house solutions to the uncertainty created by the safe-harbour ruling by using their Canadian locations and employees for the use, processing and storage of personal information of EU residents. Similarly, service providers based in Canada may capitalize on the growth opportunities that come with the ruling by offering data storage, processing, e-discovery services for litigation, and marketing solutions from within Canada.
Although the safe-harbour ruling has increased the risk of regulatory sanction in connection with transfers of data from the EU to the US, data protection authorities in EU member states will need time to assess the scope of the ruling, determine a regulatory response appropriate to their laws, authority and regulatory resources, and prioritize their enforcement obligations. Privacy law enforcement continues to be largely complaint-driven, requiring investigations of the specific facts surrounding the impugned transfer and determination of the subject parties’ compliance. In other words, the court’s decision has removed the safe-harbour path to defensible transfers, but has not constructed a firewall in its place.
As much as data protection authorities will need to assess interim and permanent approaches to enforcement, US-based organizations should examine their existing data transfer arrangements and prioritize a response plan for those most likely to be affected by the safe-harbour ruling. Some initial questions to ask include: What types of personal information are being transferred? How sensitive is the information? From whom is the information being collected – customers, employees, suppliers – and what is the likelihood of complaints from those constituencies? For what purpose is the information being transferred – marketing, sharing with partners, customer service, processing/storage? Does the information need to be transferred to the US? Are there alternative solutions that allow the use of personal information within the country of origin or transfer to a third country deemed adequate such as Canada? Do the company’s third-party service providers have alternative locations or interim solutions ready to deploy? Can impending transfers be delayed until an interim solution is developed without disrupting the business objective?
As businesses, data protection authorities and practitioners further digest the ruling and consequences for industries under Federal Trade Commission and Department of Transportation jurisdiction, interim measures will be crafted, tried and revisited. And while it may take time, a longer term solution is already on the horizon: the US Department of Commerce and the European Commission have indicated their willingness to negotiate a new framework that is compliant with EU data protection and privacy laws.
79 Wellington Street West, 30th Floor,
Box 270, TD South Tower
Toronto, Ontario M5K 1N2 Canada
Tel: +1 416 865 3688
Fax: +1 416 865 7380
Email: [email protected]