On July 16, 2020, the Court of Justice of the European Union issued the now-famous "Schrems II" decision that invalidated the EU-U.S. Privacy Shield and threw the legality of transfers of EU personal data to non-adequate third countries into question. The CJEU upheld the validity of standard contractual clauses with the caveat that data exporters must assess whether laws and practices in the data importer’s country could undermine their data protection obligations, and if so, either implement supplementary measures to fill the gaps or cease data flows. On Nov. 11, the European Data Protection Board released two draft guidance documents with concrete guidance for data exporters (the “Schrems II road map”).
Despite Canada’s partial adequacy status, Canadian businesses are not immune to the fallout from "Schrems II." If you process the personal data of EU data subjects, you should consider how the "Schrems II" road map may impact your business.
How is the 'Schrems II' road map relevant to Canadian business?
The EU General Data Protection Regulation’s international transfer requirements ensure that EU data protection requirements "follow the data." Yet, only Personal Information Protection and Electonic Documents Act–regulated EU personal data can rely on adequacy. Data exporters must use a different transfer mechanism, like SCCs or binding corporate rules, for EU personal data outside PIPEDA’s reach.
Meanwhile, the clock is ticking on Canada’s adequacy, which is under review. The recently tabled draft Canadian Consumer Protection Privacy Act, which would replace PIPEDA and bring Canada closer into line with the GDPR, holds promise. Until then, PIPEDA is the law of the land, one that lags behind many of its trading partners. Even if it withstands review by the European Commission, the lesson of "Schrems I and II" is that adequacy decisions can be struck down. Canadian businesses need a Plan B, and SCCs are the likely fallback.
What happens if our data exporters fail to follow it?
Supervisory authorities must suspend data flows if they conclude that essentially equivalent protection cannot be ensured following an investigation or complaint. Advocacy group NOYB founded by Max Schrems swiftly filed 101 complaints against EU-based companies whose websites use Google Analytics and Facebook Connect, prompting the EDPB to strike a separate task force. Complaints from different groups challenging international transfers may follow, and advocacy groups increasingly coordinate “across the pond” as was the case in "Schrems II" with the American Civil Liberties Union and NOYB. A successful complaint against one of your data exporter clients may present business continuity risks for you.
What does 'Schrems II' guidance require?
The "Schrems II" road map documents are Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Recommendations02/2020 on the European Essential Guarantees for surveillance measures. They are discussed in more detail here, but in a nutshell, they provide a six-step process data exporters should follow before transferring EU personal data outside the EU/European Economic Area.
Steps 1 and 2: Know what you import and which transfer tool you (may) use
Map your data flows and identify any inbound EU personal data, the data exporter that transfers it to you, the purpose for the transfer, the types of EU personal data you receive, and the transfer mechanism you rely on or wish to rely on. Then ask:
- Do you import it as a controller or joint controller or as a processor?
- Are you importing too much? Your data exporter must only transfer what is “adequate, relevant and limited to what is necessary in relation to the purposes” for the transfer. As a controller, you can proactively limit what is imported through process improvements, by rearchitecting data flows or incorporating privacy-enhancing technologies and measures. Pay close attention to data-minimization and storage-limitation principles and data protection by default. Apply the principle of least privilege. As a processor, be prepared to proactively propose solutions to your data exporters.
- Which tool do you rely on? If PIPEDA applies to the data in question, you can rely on adequacy for now. If adequacy or an Article 49 GDPR derogation applies, document it, skip the remaining steps, but monitor developments. Be mindful of onward transfers.
- For any EU personal data that falls outside PIPEDA or the derogations, you will likely use SCCs, unless BCRs are already in place. Go to Step 3.
- Do you transfer on to third countries? If you’re a processor, ensure your written instructions allow this. Follow the "Schrems II" road map for this data from the data exporter perspective.
Step 3: Assess the law or practice in the receiving country
Your data exporter will need your help to assess whether Canadian law or practice could prevent you from fulfilling your data protection obligations. Université Grenoble Alpes Professor of International and European Law Theodore Christakis has wryly suggested the EDPB has effectively outsourced the European Commission’s job to businesses, saddling them with a burden the commission — with its host of lawyers, deep expertise and tools of political diplomacy — has struggled to get right. In reality, IAPP Research Direct Catilin Fennessy’s description of Step 3 as a “mini-adequacy assessment” in a recent LinkedIn Live, is more accurate. It is limited to an objective assessment of the law and practice of the importer’s country as it relates to the selected transfer tool and the processing in light of the Essential Guarantees:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- An independent oversight mechanism should exist.
- Effective remedies need to be available to the individual.
Canada’s latest update to the European Commission will be a helpful starting point, but it should be validated with objective sources like those listed in Annex 3 of the Supplementary Measures. Christakis cautions that most countries would likely fail Step 3, including many EU member states. He notes that privacy advocates might use the Essential Guarantees guidance as a manual for challenging international transfers, so pay attention to critiques by (e.g., the Canadian Civil Liberties Association's work on privacy and surveillance and Privacy International’s work targeting Five Eyes countries, including Canada).
Step 4: Identify and adopt supplementary measures
Even if you’re confident Step 3 is met, your data exporter may have doubts. Cautious data importers would be wise to continue to Step 4 and actively explore workable solutions based on Annex 2 of the Supplementary Measures, paying special attention to the relevant use cases. Technical measures, like strong encryption, will be required, but other privacy-enhancing technologies, such as secure multi-party computation, data-centric encryption or dynamic pseudonymization/anonymization, may help, and Canada punches above its weight in this area. Data minimization strategies you identified in Step 1 will be important. If you anticipate relying on a form of privilege or professional secrecy in Use Case 4, ensure your proposed strategy satisfies the evolving requirements.
Expect your data exporters to seek contractual amendments to enshrine the above, demand updated internal policies that incorporate Annex 2 organizational measures, and even demand third-party audits or certifications, e.g., to ISO 27701. As a proactive step, consider updating your Trust Centre, FAQ, white papers and actively communicate this to your data exporters. This will show that you take this seriously, ease their burden and hopefully maintain data flows. Ensure sales, legal, procurement and marketing are consistent in their messaging.
Be prepared for some data exporters to seek an EU-based alternative, especially if your processing falls into Use Case 6 or 7 for which the EDPB could find no solution. Christakis predicts data exporters will either localize, do nothing or take a middle-ground approach. The middle ground is likely your best hope, and the above should help you achieve it.
Step 5: Formalize it!
The EDPB expects data exporters to get it in writing. Written instructions in your data-processing agreements and SCCs will likely need to be amended. Note the European Commission has issued new draft SCCs for international transfers, and data-processing agreements will be discussed in a future article. BCRs may need to be supplemented.
Step 6: Reevaluate
The "Schrems II" road map requires constant vigilance, so periodically reassess. Formalize this internally and proactively update your data exporters on new developments, e.g., responses to new threats to encryption strength, positive or negative key developments in Canada. Your data exporters will thank you for it.
Adequacy to the rescue?
The "Schrems II" road map has replaced uncertainty with an incredibly high bar for data exporters and an important challenge for Canadian data importers. If Canada maintains and expands its adequacy beyond PIPEDA, this will relieve the strain unless a complaint or investigation threatens to overturn the adequacy decision. Until then, Canadian businesses would be wise to proactively address the business continuity risks and possible opportunities this could present.
Photo by Zia Syed on Unsplash