State surveillance programs spell serious consequences for business – could Canada be next?
Last week the Court of Justice of the European Union (CJEU), the highest EU court, issued a judgment in Case C-362/14 that invalidated the Safe Harbour Decision that heretofore had allowed U.S. companies to transfer and store personal data of EU citizens in the US as long as they voluntarily agreed to respect certain principles. This decision will affect over 4700 companies who have EU customers and store and process EU user data in the US.
The EU Data Protection Directive provides that the transfer of personal data of EU citizens to a non-EU country “may, in principle, take place only if that third country ensures an adequate level of protection of the data”. Thus, personal data was allowed to be transferred out of the EU if the European Commission finds that the destination country has implemented an adequate framework for data protection by reason of its domestic law or its international commitments.
The EU Commission had decided in 2000 that under the ‘safe harbour’ scheme, which was a series of principles concerning the protection of personal data to which U.S. companies could voluntarily subscribe, an adequate level of protection existed for personal data transferred to the US. For US companies, the transfer could have occurred under the safe harbour principles, through contractual undertakings or by relying on other exceptions set out in the Directive. This became known as the Safe Harbour Decision. The Commission has made adequacy findings for other non-EU jurisdictions such as Canada.
In this case, a Facebook user named Maximillian Schrems filed a compliant with the Irish Data Protection Commissioner over the transfer of the his data, and the data of other EU users, to Facebook’s servers in the Unites States where they are processed. The grievance was substantiated by the 2013 Snowden revelations about the NSA’s surveillance activities and the resulting claim that US law and practice does not offer sufficient protection against surveillance by the public authorities of the data transferred.
Schrem’s complaint, which was initially rejected by the Irish privacy authority on the grounds that it did not have the authority to overrule the Commission’s Decision, was appealed before the High Court of Ireland which was asked to determine whether it was possible to challenge a Commission’s adequacy finding via a court process. Specifically, whether the adequacy finding of the Commission, in this case the Safe Harbour Decision prevented an EU member state’s privacy authority from investigating and ruling on complaints relating to the adequacy of a non-country’s data protection regime, and where appropriate, suspending the transfer of data to that country.
The case made its way to the CJEU which last week rendered a judgment invalidating the Safe Harbour Decision.
There are two major outcomes of this decision.
The first is that countries whose government security framework overrules privacy rights may not be found to have an adequate data protection framework to be allowed to transfer EU citizen data out of the EU.
The Court found that “national security, public interest and law enforcement requirements in the United States prevail over the safe harbour scheme” such that the US businesses that had voluntarily subjected their operations to the safe harbour principles are “bound to disregard, without limitation, the protective rules laid down by [that] scheme where they conflict with such requirements”.
US public authorities are not prevented by the safe harbour scheme from interfering with the fundamental right of EU citizens to the protection of their personal data. The CJEU did not find sufficient rule or legal protection against such interference. Several aspects of the US legal framework were found to compromise the essence of the EU’s fundamental right to respect for private life and the right to effective judicial protection, namely:
- The existence of legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications; and,
- The absence of legislation providing for the possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or reassure of such data.
The basis of this finding it that transfers of EU data to the US meant that this data could be subject to unfettered surveillance by the NSA. Specifically that, “personal data transferred by companies such as Facebook Ireland to its parent company in the United States is…capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data.”.
Without doubt, this ruling will have major business implications for businesses storing data in the US.
It also gives pause to contemplate Canada’s own data protection framework and whether new government surveillance powers, such as those enabled by Bill C-51, might also invalidate the adequacy finding of Canadian privacy legislation. The European Commission decided in 2001 that Canada’s privacy law, PIPEDA, provided an adequate level of protection for the data of European citizens and was thus consistent with the Directive. However, one the same reasoning in the Schrems decision might be used to invalidate the ruling on Canadian adequacy, which is now almost 15 years old. While Canadian privacy law may at one point have been considered adequate, it may no longer be.
In its current form, PIPEDA includes several instances where businesses are permitted or required to disclose personal information in their possession, such as under court order or when faced with certain types of law enforcement access requests, including those related to national security.
The second game changing result of this ruling is jurisdictional. The CJEU also decided that the powers available to national data protection authorities under the Charter of Fundamental Rights of the European Union and the Data Privacy Directive of 1995 are neither eliminated nor reduced by the existence of a Commission decision finding that a non-EU member country ensures an adequate level of protection of personal data transfers. The court invalidated the Safe Harbour Decision in part on the basis that it denies national authorities their powers to protect the privacy and the fundamental rights and freedoms of individuals when a person wishes to file a complaint about the adequacy of protection afforded to their data when it is transferred abroad. The onus rests on each EU member country to implement the Data Protection Directive of 1995. For example, in this case, the Irish authority has to now examine Mr. Schrems complaint and decide whether, according to the Directive, transfer of Facebook’s EU subscriber data to the US ought to be suspended because the US does not adequately protect personal data.
This is important because it makes other adequacy findings vulnerable to similar decisions. There is a risk that EU states may find Canada’s privacy framework to no longer adequately protect EU user data and prohibit the flow of data from the EU to Canadian servers.
The other upshot related to Canadian data is this: If the US privacy framework isn’t adequate enough to protect the rights of Europeans, is it good enough for Canadian privacy rights? Canadians may wonder whether they want their data stored in the US, given the Snowden revelations. That being said, the power of Canadian surveillance agencies to override privacy legislation continues to grow.
On a final note, the recently adopted Trans Pacific Partnership deal, promoted as being a major economic victory for Canada, allegedly includes restrictions on limiting the flow of data between signatory nations, which includes the Unites States, Australia and Japan. Complete data flows and date storage in the U.S., which Europe has just said no to, may not be desirable for Canadian data either, especially more sensitive information related to health or finances. Information in the US is easily accessible by the NSA and other agencies under the Patriot Act. The TPP allegedly includes a provision that bans data localization requirements, which would prohibit the type of decision just passed in Europe. There may be serious implications about the ability of the Canadian government to pass more stringent rules to protect the privacy of Canadians and limit data transfer.