The dismissal by a European Union court of a European-American personal data protection transfer agreement is making headlines in the United States. But an expert here says it may have the knock-on effect of pushing Canada to update its federal privacy law.
Ann Cavoukian, head of the Privacy By Design Centre for Excellence, agreed Thursday’s decision by the EU Court of Justice that the 2015 EU-US Data Protection Shield doesn’t give EU residents adequate protection under Europe’s General Data Protection Regulation (GDPR) could be the nudge Ottawa needs to overhaul the Personal Information Protection and Electronic Documents Act (PIPEDA).
“Now maybe with this eliminated in the U.S., maybe they (EU) will come down hard on Canada as well because we no longer have essential equivalence with them that we used to have in the past.”
The question of equivalence — or, more accurately in legal terms, adequacy — is essential to the EU and to companies outside it that do business with the community and collect personal data of customers and partners.
Long ago the EU decided an organization could only send personal data about an EU resident outside the bloc if the destination country has an adequate level of data protection. PIPEDA was given adequacy status years ago. The U.S., which doesn’t have a national data privacy law, needed arrangements like the 2000 Safe Harbour agreement so data transfers were allowed. When that was struck down in 2015 it had to negotiate the Privacy Shield with the E.U.
What complicated things was the passing in 2018 of the GDPR, which unified and toughened differing privacy laws across the EU. Since then, the issue of adequacy with the privacy laws of other countries has been up in the air.
For the sake of continuity, the EU didn’t immediately make all other countries’ privacy laws inadequate unless they are equivalent to the GDPR. Instead, it is taking a few years to review those laws and give an opinion on their adequacy.
How did the EU Court of Justice come into this? Briefly, it stems from a 2013 request by Austrian lawyer and activist Max Schrems to Irish privacy regulators to suspend or prohibit Facebook from transferring his personal account data to the U.S. Initially the case was dismissed because the Safe Harbor agreement with the U.S. was deemed adequate to EU laws. But in 2015 that agreement was struck down, which led to the EU-US Privacy Shield. The Irish regulator then asked the EU High Court to rule on the adequacy of the Privacy Shield to GDPR.
In a blog post, Toronto privacy lawyer Barry Sookman described yesterday’s decision that the Privacy Shield doesn’t offer adequate protection for data transferred to the U.S. as a “bombshell” for American companies. “It will directly affect Canadian companies,” he added, “including multinationals that do business in the U.S. and transfer personal information to the U.S. from the EU for processing or other uses.”
University of Victoria political science professor Colin Bennett said in a blog that as a result of the E.U. court decision there must be “some serious, rather than cosmetic, reform to PIPEDA.” Quebec’s recently proposed changes to its privacy law comes close to GDPR and “ups the ante for the federal government.”
PIPEDA’s status, for now, is safe. However, some privacy experts here, including Cavoukian and federal privacy commissioner Daniel Therrien, are certain PIPEDA needs to be updated.
In February 2018 the House of Commons Access to Information, Ethics and Privacy committee issued a report urging the government the determine if any changes are needed to PIPEDA to maintain its adequacy status.
At the same time, it also recommended a number of changes to PIPEDA which could bring it closer to adequacy, including making Privacy By Design a central principle of the act and giving the federal Privacy Commissioner the power to make orders and impose fines for non-compliance.
Therrien has been lobbying for updates to PIPEDA and increasing powers for some time. But after the committee report “nothing happened,” complained Cavoukian.
Asked if the government is waiting for the EU to specifically say if or how it wants PIPEDA to be updated rather than waste time changing the legislation only to find it wasn’t enough, Cavoukian was dismissive.
“Why can’t we be proactive for a change?” she asked. “We know this is coming. Why wait for the EU to come to us and say, ‘This is what we expect.’ It’s not rocket science to figure this out.”