Insights Header image
Insights Header image
Insights Header image

Introducing Safe Harbour 2.0: the EU-US Privacy Shield

February 2016 Privacy Bulletin 3 minute read

The EU Commission recently announced that it had come to an agreement with the US on a new framework to facilitate data flows. This announcement follows the decision by the Court of Justice of the European Union (CJEU) in Schrems v Data Protection Commissioner invalidating the traditional safe-harbour principles. Click here to view our earlier bulletin on the Schrems decision.

Background

The effect of the CJEU’s decision in Schrems was to invalidate the safe harbour principles on which companies used to rely to transfer personal data from the European Union (EU) to the United States (US). The CJEU was of the view that the revelations by Edward Snowden demonstrated a broad and indiscriminate lawful access regime in the US that is incompatible with EU data protection laws. The EU Data Protection Directive requires that information being transferred outside of the EU maintain an adequate level of protection as compared to the safeguards that exist under EU law.[1] In Schrems the CJEU reasoned that the ability of public agencies to apply broad surveillance frustrates the ability of businesses to provide meaningful data protection assurances with respect to data transferred into the United States. Therefore, the CJEU found that the safe harbour regime could not protect personal information transferred from the EU to the US. The Schrems decision created great uncertainty for a number of businesses, since the global nature of business in today’s marketplace often requires the transfer of data between the EU and the US.

The Proposed Solution

The EU Commission recently issued a press release indicating that it had come to an agreement with the US on a new framework for transatlantic data flows that is consistent with the CJEU’s requirements in Schrems. The press release refers to the agreement as the “EU-US Privacy Shield”.

The EU-US Privacy Shield calls for increased cooperation between the European Data Protection Authorities and the US Department of Commerce and Federal Trade Commission. The arrangement includes a commitment by US authorities that the possibility of lawful access will be subject to greater limitations and oversight. The arrangement will require:

  • Greater obligations on companies handling personal information from the EU;
  • Increased safeguards and transparency regarding US lawful access; and
  • Recourse mechanisms for EU citizens whose data has been mishandled.

The EU-US Privacy Shield has not yet come into force. A draft “adequacy decision” is currently being prepared for approval by the College of Commissioners of the EU.

Implications for Canadians

The announcement of the EU-US Privacy Shield is an important development. Firstly, the EU-US Privacy Shield will provide Canadian businesses that transfer data between the EU and the US with an approved mechanism to do so.

In addition, while the EU Commission has previously found that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) provides adequate protection for personal information,[2] the EU data protection regime is rapidly developing. It is conceivable that Canada’s data protection regime will fall out of sync with the EU’s and that a similar decision to Schrems could complicate transfers of EU data into Canada. The announcement of the EU-US Privacy Shield demonstrates some flexibility on the part of the EU, and may provide a precedent for an alternate form of arrangement if PIPEDA’s adequacy is ever challenged in the future.

by Mitch Koczerginski and Lyndsay Wasser

[1] EU Directive 95/46/EC, Art. 25(1).

[2] 2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539).

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2016

Insights (5 Posts)View More

Featured Insight

Investor Relations Activities Require Clear and Conspicuous Disclosure

BC Notice 51-703 emphasizes that investor relations activities must be “clearly and conspicuously” disclosed pursuant to Section 52(2) of the Securities Act.

Read More
May 22, 2024
Featured Insight

Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Unpacking Ontario's Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Key changes & compliance strategies detailed.

Read More
May 17, 2024
Featured Insight

Navigating International Student Worker Restrictions: Post-Expiry Guidelines for Employers

On April 30, 2024, Canada’s temporary waiver allowing international students to exceed 20 hours of work per week expired.

Read More
May 14, 2024
Featured Insight

Understanding the Consumer-Driven Banking Framework: Key Insights from the Budget Implementation Act, 2024, No.1

On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1, which provides the legislative framework for open banking in Canada.

Read More
May 13, 2024
Featured Insight

Legal Risk Assessments – An Essential Risk Management Tool

The best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems.

Read More
May 9, 2024