The world is processing the massive implications of today’s decision from the European Court of Justice in response to the complaints by Max Schrems of None of Your Business, and longterm campaigner for privacy rights. The story has a lot of twists and turns, but this is the upshot.
First, the US/EU Privacy Shield has been declared an invalid mechanism for the transfer of personal data on European citizens from the EU to the US. This decision was not unexpected. Like its predecessor, the EU-US Safe Harbor arrangement, the Privacy Shield had come in for a lot of criticism from the outset, even though over 5000 companies have signed up, and self-certified as compliant with its principles. These companies now have to find another legal way to transfer personal data from Europe to the U.S.
It is important to note, however, that the essential “co-regulatory” model behind the Privacy Shield was not invalidated. It is still (theoretically) possible for another mechanism to be negotiated that allows new certifications to a new set of principles and involving a more credible and legally enforceable set of rights of redress for Europeans. But there is no political will to engage in more lengthy negotiations, and so it is safe to assume that Privacy Shield is dead, and so is the model for international transfers upon which it is based.
Critically, the court took aim at the European Commission for declaring in 2016 that the Privacy Shield constituted an adequate level of protection — at least for those transfers going to registered companies. The Commission got it wrong. The Privacy Shield does not grant citizens actionable and enforceable legal rights against the “dragnet” national surveillance programs, revealed by Snowden, and the source of Schrems’ complaints in the first place. Further, the new redress mechanism, the Privacy Shield Ombudsperson, cannot be considered a “tribunal” under Article 47 of the EU Charter, and cannot, therefore, be considered an independent and impartial court; I analyzed this mechanism and the general potential of using the ombudsman in data protection law in a prior paper.
The Court also considered the legality of standard contractual clauses as a legal mechanism for transferring personal data. Standard contractual clauses remain a legal way to transfer data internationally. BUT, they have to be assessed on a case-by-case basis and in the light of all the circumstances of the transfer. They are not, therefore, automatic legal guarantees arranged between the exporter and importer of the data, and without any consideration of the rights of the data subject. As the court found that there was no effective redress mechanism for Europeans in the US with respect to intelligence and security agencies, it follows that companies cannot rely on SCCs (or presumably Binding Corporate Rules) if the fundamental rights of Europeans cannot be guaranteed. Many companies and routine transfers of personal data would not be affected. Others, and especially IT companies that fall under the FISA 702 surveillance law, would. Schrems has been quick to point this out.
So this is obviously a huge decision with massive and global implications. But this decision is NOT just about Facebook, and it is not just about the U.S. So the Canadian government needs to take this very seriously. What are the implications?
First, it is imperative that the current adequacy decision for PIPEDA be extended. Canada continues to have an advantage over the U.S. Our companies do not need to engage in costly negotiations of contracts or BCRs, because they are given the convenient safe harbor of EU adequacy. They might, under a “belt and suspenders” rationale use these additional mechanisms, but they do not need to.
Secondly, however, that advantage could be short-lived. And that means some serious, rather than cosmetic, reform to PIPEDA , as I have argued before. The EU Commission got burned by its adequacy determination for the Privacy Shield. It will need to be very careful in the future. The standard is one of “essential equivalence.” The Commission has signaled that this does not just mean a simple checklist. However, it is obvious that, at the very least, Canada needs far stronger enforcement powers for the privacy commissioner (including administrative fines), mandatory breach notifications and PIAs, as well as provisions for privacy by design and by default. These provisions are included in the new Quebec bill 64, which incorporates many of the provisions of the General Data Protection Regulation (GDPR), and which seriously ups the ante for the federal government.
Third, as a member of the Five Eyes network, the question of redress against national security and intelligence services is, and will continue to be, prominent in any analysis of Canadian adequacy. This is where we might have some advantages over the U.S. There is a credible and independent oversight and redress mechanism now — the National Intelligence Review Board. And critically, it can field complaints from non-Canadians. Further, its actions may be reviewed by the courts. But these mechanisms need to be tested and proven to be effective. The recent decision by the federal court finding that CSIS displayed a “cavalier institutional approach” to the rule of law, will not help in advancing the case that our intelligence agencies are properly accountable.
Fourth, the Canadian government should seriously begin to look at the question of signing and ultimately ratifying, the modernized Convention 108 from the Council of Europe. Convention 108+ remains the only serious candidate for an internationally binding multilateral legal treaty for privacy and data protection rights. It is conceptually and legally consistent with the GDPR, but it is also more accessible. The advantages of signing and ratifying this Convention have been laid out by Graham Greenleaf. Lee Bygrave has reminded us that, earlier in the history of the data protection, there was as much a “Strasbourg effect” on the spread of data protection, as a “Brussels effect.” It is a very important instrument, based on human rights rather than commercial principles, and could serve Canada very well in the years ahead in consolidating its position within the international digital economy.
Finally, I have a plea. I wish the Canadian commercial sector were a little less complacent on these issues. I have detected a certain smugness about our position. Canada has enjoyed this relatively privileged “adequacy” status. Some of our companies have been pioneers in developing privacy management programs. Instruments such as privacy by design, and privacy impact assessments (now integrated into the GDPR) had very early origins in the Canadian debates. But the world has changed, and the standards have changed. It is no longer persuasive still to contend that PIPEDA has provided a workable and balanced approach to privacy protection that has served us well. It was a statute designed for a different era. Above all else, today’s decision by the CJEU reinforces the central point that the stakes are a lot higher and a lot more political, and that flimsy data protection standards can be torn down by an increasingly activist movement of privacy advocates.