Potential amendments could mean Canadian businesses receiving personal information from Europe will have more exposure to the differences in the data protection laws and enforcement regimes in the EU member states.
Readers of this blog will be aware that European privacy law has been in flux in the wake of the Schrems decision, which struck down the EU-US Safe Harbour regime for transfers of personal information. (See previous coverage here, here, here, here, and here.)
While the direct impact of that decision was limited to Safe Harbour, the principles it set out were widely anticipated to have broader implications. Some clues have now emerged as to how these implications will play out.
On October 3, the European Commission presented draft decisions amending a number of existing “adequacy” decisions, including the decision applicable to Canada, as well as the decision on standard contractual clauses (or “SCCs”).
The amendments have not yet been publicly released. However, according to the summary of the meeting of the “Committee on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (aka the “Article 31 Committee”):
…the purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s Schrems ruling. In Schrems, the Court invalidated Article 3 of the Safe Harbour adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.
From this description, it seems likely that the amendment will (at least) modify Article 3 of the Canadian adequacy decision, to make it clear that DPAs will have full and independent authority to review any transfers to Canada and apply any remedies available under their respective national laws.
The same is presumably true for the other affected decisions, including Article 4 of the SCCs decision.
If true, this will mean that Canadian businesses on the receiving end of transfers of personal information from Europe (and all businesses relying on the SCCs) will have more exposure to the differences in the data protection laws and enforcement regimes in the member states. This confirms what we predicted would be a likely consequence of the Schrems decision.
Some of these differences will be harmonized by the GDPR, when it comes into full effect on May 6, 2018. However, that will bring its own challenges, including new obligations that will be applied extraterritorially to businesses offering goods or services in the European market, backed by the potential for hefty monetary penalties that can reach up to the greater of €20 M or 4% of an organization’s global after-tax revenues.
However, there does not appear to be any suggestion that these amendments will modify the core determination that Canadian law provides adequate protection of personal information. So, at least in the short term, it will continue to be legal to transfer European personal information to Canada.
The Article 31 Committee has not yet taken any decision on the proposed amendments. A further meeting will be convened in “the coming weeks”, after the member states have an opportunity to review and consider the documents.