Today's decision by the European Court of Justice (Schrems II) invalidated the US Privacy Shield as a basis for privacy protections permitting the transfer of personal data outside of the EU. The decision has many implications for international commerce, including businesses operating in Canada.
One result is that Canada may become a preferred choice for data storage and processing in North America.
As a consequence of the decision, transferring personal data to the US will be much more challenging. The Privacy Shield was established, at least in part, to provide security assurances to protect the personal data in the US. The Privacy Shield framework was used to establish adequate protection for transfers to the US. Since the ECJ determined it does not sufficiently protect the rights of EU citizens, other protections are required, such as Binding Corporate Rules (BCRs). Having worked on setting up BCRs, which requires the establishment and documentation of detailed privacy and security standards, we can say they are much more cumbersome than standard contractual clauses.
The General Data Protection Regulation (GDPR) mandates that the transfer of personal data to a third country may only take place if the third country in question ensures an adequate level of data protection. According to the GDPR, the European Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection.
The European Commission determined in 2001 that Canada provides an "adequate" level of protection. The US did not have "adequacy status," so it established "Safe Harbour" and then the Privacy Shield. In this decision, the ECJ has held that, unless there is a valid Commission adequacy decision (such as for Canada), EU supervisory authorities are required to suspend or prohibit a transfer of personal data to third countries like the US where standard data protection clauses are not or cannot be complied with in that country and where the protection of the data transferred that is required by EU law cannot be ensured by other means.
Organizations should consider taking advantage of Canada's "adequacy." In light of Schrems II, personal data transfers and processing from the EU to the US are in doubt, or at least will be more complicated. Canadian business and multinational businesses with Canadian operations, may look to use Canada as a data processing centre, or shift operations which require the transfer of personal data from the EU to Canadian centres. A focus on business in Canada may be a good strategy to mitigate against a suspension of transfers to the US so as to not negatively affect operations, or avoid having to take other significant steps to comply with GDPR data protection requirements. For many organizations, particularly small and medium sized businesses, transferring personal data to the US may become impractical without the Privacy Shield.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
