“Schrems II” decides validity of personal data transfer mechanisms – impact on Canadian organizations

July 20, 2020 | David Krebs, Amanda Cutinha

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its long-awaited decision regarding the validity of existing personal data transfer mechanisms outside the EU under the General Data Protection Regulation (“GDPR”), the so-called “Schrems II” case, named after Austrian privacy activist Max Schrems (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”)).

The final decision of the Court was somewhat surprising and now raises many questions as to how organizations will manage EU data transfers to the United States. The Court decided two key matters: 1) it validated the use of Standard Contractual Clauses (“SCCs”) on certain conditions, including robust case-by-case risk assessments; and 2) it invalidated the US-EU “Privacy Shield,”[1] which was an instrument brought on to replace the previously recognized but then abandoned “Safe Harbour program.” The decision was silent on “Binding Corporate Rules” (BCRs), which are also an accepted data transfer mechanism under the GDPR.[2]

This decision will undoubtedly have an impact on many Canadian organizations as well. As we have reported previously, Canadian organizations may be subject to the GDPR even where they do not have a physical presence in the EU. Here are a few recommended next steps.

Practical Next Steps for Canadian Organizations

  1. Conduct a data transfer inventory to understand to what extent you collect, use, store or otherwise process personal information from the EU, and whether your organization is a “data controller” or “data processor” of that information.
  2. If your organization processes EU personal data, understand the data flows, under what basis data is being transferred, and to which countries (Canada’s private sector law, Personal Information Protection and Electronic Documents Act (“PIPEDA”), is considered “adequate” under GDPR). Note that any personal data that is subject to other federal and provincial privacy laws may not be protected.
  3. Understand contracts that involve the processing of relevant personal information across borders. Note any transfers outside of the EU and Canada on the basis of the Privacy Shield or SCCs.
  4. Monitor guidance from EU Data Protection Authorities as the decision leaves many open questions.
  5. Consider a due diligence plan that includes an assessment of the destination jurisdiction and how the law permits access by local law enforcement.

Background

The Schrems saga began in light of the 2013 statements of infamous whistleblower, Edward Snowden, concerning the disregard for personal data by the United States intelligence services, such as the National Security Agency. Austrian-based privacy activist and Facebook user, Maximillian Schrems issued a complaint to the Irish Data Protection Commissioner (“the Commissioner”) regarding Facebook Ireland’s transfer of its users’ personal data to the US where it is processed and stored. The Commissioner rejected the complaint, stating that the US ensures an adequate level of protection of transferred personal data, and the question was referred to the CJEU. In a prior decision, Schrems I, the CJEU declared the EU-US Safe Harbour Privacy Principles invalid, finding that transfers of personal data to the US from the EU under the Principles did not provide adequate protection.

Movement of Data

Under Article 25 of the GDPR, EU personal data must not be transferred outside of the EU unless it is transferred to a jurisdiction with “adequate” protections or under SCCs. The adequacy of the level of protection afforded by a third country must be “essentially equivalent to that ensured within the Union,”[3] such as those found in PIPEDA.

Whether a third country meets this equivalency standard is assessed holistically, considering the circumstances of a data transfer operation, the country’s respect for rule of law and access to justice, international commitments, domestic law (including public security, defence, national security, public order and criminal law) and added safeguards the controller adduces. The third country should ensure independent data protection supervision, implore cooperation mechanisms with data protection authorities and provide data subjects with effective and enforceable rights and redress.

Standard Contractual Clauses

In light of these protections, EU Data Protection Authorities must determine whether SCCs offer sufficient safeguards to protect personal data in the importing jurisdiction in a comparable way as in the EU. In finding SCCs valid, the CJEU imposed a heavy burden on data exporters and importers that use SCCs, requiring them to assess any conflicts and inabilities to comply with SCC terms. Additionally, data exporters must carry out an assessment of the data protection afforded by the third country at issue to determine whether it is, in fact, essentially equivalent to that provided for in the EU. Supervising authorities are empowered to suspend or prohibit transfers of personal data if the transfer does not meet the adequacy threshold.

The EU-US Privacy Shield

The “essentially equivalent” adequacy threshold also informed the CJEU decision that the EU-US Privacy Shield was invalid noting,

[T]he limitations on the protection of personal data arising from domestic law of the United States and on the access and use by US public authorities of such data transferred from the European Union to the United States […] are not circumscribed in a way that satisfied requirements that are essentially equivalent to those required under EU law.[4]

The CJEU found that US national security legislation, public interest principles and law enforcement mechanisms condone the interference with the fundamental rights of persons whose data are transferred to the US. The Court took particular issue with the lack of limitations placed on surveillance programs under section 702 of the Foreign Intelligence Surveillance Act. While the EU-US Privacy Shield seeks to limit the impact of transfers of data on personal data protection rights, its mechanisms do not enable data protection in the US to be essentially equivalent with EU law.

What Does this Mean for Canadian Organizations

As noted, Canadian organizations should conduct a review of data flows to assess potential impact. Some Canadian organizations will be directly impacted by the GDPR, while others, usually as data processors, will be indirectly impacted under contract with the controlling entity.

If you have any questions or wish to discuss the issue, please reach out to David Krebs or another member of our Privacy Team.


[1] Designed by the US Department of Commerce and the European Commission to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States.

[2] Art. 46

[3] Para 104

[4] Para 185

Disclaimer

The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.