On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered its decision in the case known as “Schrems II”. The decision recognizes the validity of Standard Contractual Clauses (SCCs) to transfer personal data outside of the European Union (EU), but invalidates the transfer of personal data from the EU to the US under the EU-US Privacy Shield.
These are the implications for Canadian companies under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- All transfers of personal data from the EU and the European Economic Area (EEA) to the US under the EU-US Privacy Shield or SCCs must be reassessed.
- All such transfers on the basis of the EU-US Privacy Shield must be replaced by another legal basis for transfer, such as the SCCs, between organizations, Binding Corporate Rules, among the affiliates of one organization, or individual consent.
- Storage in Canada, under the adequacy status, or in the EU, therefore avoiding transfer, should be considered.
- The legal regime in the countries of destination, even under SCCs, must be taken into account to ensure that local laws, for example surveillance laws, do not prevent compliance with the SCCs.
1. The legal situation of companies under PIPEDA
Since 2001, companies coming under the PIPEDA enjoy the benefits of adequacy with the EU. In short, adequacy status is granted by a decision of the European Commission allowing the transfer of personal data about individuals in the EU and the EEA to a company governed by PIPEDA, without any further authorization, as an exception to the general prohibition to transfer personal data out of the region. Adequacy status is granted where a country’s legislative framework is considered to offer adequate protection of individual rights to personal data. Twelve countries (full list here) can receive personal data from the EEA without SCCs between organizations or express consent from the individual. Under adequacy, the cross-border transfer of personal data is generally authorized.
While companies under PIPEDA can receive personal data from the EU without further authorization, they widely use SCCs or the EU-US Privacy Shield for onward transfer to the US, or as business partners will require for greater legal certainty.
2. The impact of Schrems II
The complainant in Schrems II is Maximillian Schrems, known for having caused the invalidation of Safe Harbour for the transfer of personal data between the EU and the US, being at the origin of a decision by the CJEU on October 6, 2015 to that effect. The issue in Schrems II is whether Decision 2010/87 establishing the SCCs is valid, and whether Decision 2016/1250 is valid, recognizing adequacy of the protection provided by the EU-US Privacy Shield.
The CJEU determined that:
- The transfer of personal data outside the EU must maintain a level of protection “essentially equivalent” to that required by the GDPR; that assessment must take into account “any access by the public authorities of that third country to the data transferred and the relevant aspects of the legal system of that third country.”
- Decision 2010/87 establishing SCCs is valid but SCCs cannot be relied upon where the laws of the country of destination do not allow compliance with the SCCs because they allow access to personal data by state authorities beyond what is necessary in a democracy; supervisory authorities in the EU are required to suspend or prohibit such transfers.
- Moreover, the Court imposes an obligation on organizations, whether they transfer or receive the data, to verify, prior to any transfer, whether that level of protection is respected in the country of destination.
- In view of limitations on the protection of personal data under US privacy laws, EU Commission Decision 2016/1250 affording adequacy to the EU-US Privacy Shield is invalid.
3. New obligations of organisations around the cross-border transfer of personal data
Concretely, the following obligations emerge:
- All transfers under the EU-US Privacy Shield must now be supported by a new legal basis.
- Data exporters have the obligation to refuse or suspend the transfer where the importer is unable to honour the SCCs due to local laws that would allow access to personal data beyond what is necessary and proportionate in a democratic society.
- The importer must certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the SCCs.
- The importer must inform the exporter if the laws applicable to it prevent it from implementing the SCCs.
- The parties to the contract should consider:
- Whether the law of the country of destination imposes on the importer obligations that breach the SCCs.
- The circumstances of the transfer, including the sensitivity of the data transferred, the applied security mechanisms, the allowed processing by the law enforcement agencies in the country of destination and individual recourses in that regard.
Failure to ensure this protection can give rise to enforceable rights and remedies against the exporter and, in the alternative, against the importer.
It would therefore be wise for Canadian companies to develop guidelines in determining the countries of destination where to, and not to, transfer personal data received from an EU partner.
For assistance, contact the Dentons Canada Privacy and Cybersecurity team.
For the latest information and developments in Privacy and Cybersecurity law, see our Privacy and Cybersecurity Law blog.