On July 16, 2020, the Court of Justice of the European Union issued the now-famous "Schrems II" decision that invalidated the EU-U.S. Privacy Shield and threw the legality of transfers of EU personal data to non-adequate third countries into question. The CJEU upheld the validity of standard contractual clauses with the caveat that data exporters must assess whether laws and practices in the data importer’s country could undermine their data protection obligations, and if so, either implement supplementary measures to fill the gaps or cease data flows. On Nov. 11, the European Data Protection Board released two draft guidance documents with concrete guidance for data exporters (the “Schrems II road map”).
Despite Canada’s partial adequacy status, Canadian businesses are not immune to the
How is the 'Schrems II' road map relevant to Canadian business?
The EU General Data Protection Regulation’s international transfer requirements ensure that EU data protection requirements "follow the data." Yet, only Personal Information Protection and Electonic Documents Act–regulated EU personal data can rely on adequacy. Data exporters must use a different transfer mechanism, like SCCs or binding corporate rules, for EU personal data outside PIPEDA’s reach.
Meanwhile, the clock is ticking on Canada’s adequacy, which is under review. The recently tabled draft lags behind many of its trading partners. Even if it withstands review by the European Commission, the lesson of "Schrems I and II" is that adequacy decisions can be struck down. Canadian businesses need a Plan B, and SCCs are the likely fallback.
What happens if our data exporters fail to follow it?
Supervisory authorities must suspend data flows if they conclude that essentially equivalent protection cannot be ensured following an investigation or complaint. Advocacy group NOYB founded by Max Schrems swiftly filed 101 complaints against EU-based companies whose websites use Google Analytics and Facebook Connect, prompting the EDPB to strike a separate task force. Complaints from different groups challenging international transfers may follow, and advocacy groups increasingly coordinate “across the pond” as was the case in "Schrems II" with the American Civil Liberties Union and NOYB. A successful complaint against one of your data exporter clients may present business continuity risks for you.
What does 'Schrems II' guidance require?
The "Schrems II" road map documents are Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Recommendations02/2020 on the European Essential Guarantees for surveillance measures. They are discussed in more detail principle of least privilege. As a processor, be prepared to proactively propose solutions to your data exporters.
Step 3: Assess the law or practice in the receiving country
Your data exporter will need your help to assess whether Canadian law or practice could prevent you from fulfilling your data protection obligations. Université Grenoble Alpes Professor of International and European Law Theodore Christakis has wryly suggested the EDPB has effectively outsourced the European Commission’s job to businesses, saddling them with a burden the commission — with its host of lawyers, deep expertise and tools of political diplomacy — has struggled to get right. In reality, IAPP Research Direct Catilin Fennessy’s description of Step 3 as a “mini-adequacy assessment” in a recent latest update to the European Commission will be a helpful starting point, but it should be validated with objective sources like those listed in Annex 3 of the Supplementary Measures. Christakis cautions that most countries would likely fail Step 3, including many EU member states. He notes that privacy advocates might use the Essential Guarantees guidance as a manual for challenging international transfers, so pay attention to critiques by (e.g., the Canadian Civil Liberties Association's work on privacy and surveillance and Privacy International’s work targeting Five Eyes countries, including Canada).
Step 4: Identify and adopt supplementary measures
Even if you’re confident Step 3 is met, your data exporter may have doubts. Cautious data importers would be wise to continue to Step 4 and actively explore workable solutions based on Annex 2 of the Supplementary Measures, paying special attention to the relevant use cases. Technical measures, like strong encryption, will be required, but other privacy-enhancing technologies, such as secure multi-party computation, data-centric encryption or dynamic pseudonymization/anonymization, may help, and Canada punches above its weight in this area. Data minimization strategies you identified in Step 1 will be important. If you anticipate relying on a form of privilege or professional secrecy in Use Case 4, ensure your proposed strategy satisfies the evolving requirements.
Expect your data exporters to seek contractual amendments to enshrine the above, demand updated internal policies that incorporate Annex 2 organizational measures, and even demand third-party audits or certifications, e.g., to ISO 27701. As a proactive step, consider updating your Trust Centre, FAQ, white papers and actively communicate this to your data exporters. This will show that you take this seriously, ease their burden and hopefully maintain data flows. Ensure sales, legal, procurement and marketing are consistent in their messaging.
Be prepared for some data exporters to seek an EU-based alternative, especially if your processing falls into Use Case 6 or 7 for which the EDPB could find no solution. Christakis predicts data exporters will either localize, do nothing or take a middle-ground approach. The middle ground is likely your best hope, and the above should help you achieve it.
Step 5: Formalize it!
The EDPB expects data exporters to get it in writing. Written instructions in your data-processing agreements and SCCs will likely need to be amended. Note the European Commission has issued new draft SCCs for international transfers, and data-processing agreements will be discussed in a future article. BCRs may need to be
Adequacy to the rescue?
The "Schrems II" road map has replaced uncertainty with an incredibly high bar for data exporters and an important challenge for Canadian data importers. If Canada maintains and expands its adequacy beyond PIPEDA, this will relieve the strain unless a complaint or investigation threatens to overturn the adequacy decision. Until then, Canadian businesses would be wise to proactively address the business continuity risks and possible opportunities this could present.
Photo by Zia Syed on Unsplash
