• The Changing Landscape of Cross Border Data Transfers
  • October 26, 2015 | Author: Robert P. Kinghan
  • Law Firm: Perley-Robertson, Hill & McDougall LLP/s.r.l. - Ottawa Office
  • On October 6, 2015, the European Court of Justice (“ECJ”) ruled that the Safe Harbor Framework, an arrangement which allowed the exchange of personal data among European and American companies, was invalid. Given the increasingly global nature of commercial information sharing, this has caused legal uncertainty regarding when businesses can send data into the US. However, for the time being, data can flow freely from the European Union (“EU”) to Canada, and Canadian companies may redirect EU data into the US if certain privacy safeguards are provided.

    The Safe Harbor Framework was the US government’s response to the EU Commission Directive on Data Protection, passed in 1995. The Directive prohibits European businesses from sending personal information—that is, any information about an identifiable individual—to a foreign country that does not have adequate safeguards to protect individual privacy. Personal information can include almost anything, including a person’s name, age, race, personal contact information, or personal financial data.

    The Safe Harbor Framework previously governed how American companies could deal with personal information transferred from the EU. In 2000, the EU Commission approved the framework as providing adequate privacy protection, allowing European businesses to send personal information to the US. However, the recent ECJ judgment overturned the Commission’s approval on the basis that the US does not sufficiently restrict how government agencies can access the information.

    On the other hand, Canada’s privacy safeguards are still considered adequate. In 2002, the EU Commission gave its blessing to Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Consequently, EU businesses can freely send personal information into Canada, as long as the recipient complies with PIPEDA.

    PIPEDA applies to commercial organizations in Canada not governed by provincial legislation deemed “substantially similar”. Under PIPEDA, unless an exception exists, organizations are prohibited from collecting, using, or disclosing personal information without an individual’s knowledge or consent. Therefore, Canadian organizations can redirect personal information received from the EU to third parties in another country, including the US, as long as proper consent is obtained or a legislative exception applies. Organizations are also obligated to ensure that the recipient provides a level of protection comparable to PIPEDA, which can be accomplished through a contract.

    Once the data is inside a foreign jurisdiction, that country’s laws will be paramount. Accordingly, PIPEDA allows an organization to disclose information to a legal authority pursuant to a warrant or subpoena without obtaining the individual’s knowledge and consent. Similarly, disclosure without knowledge and consent is permitted if a foreign government institution requests the information for national security, international affairs, or law enforcement purposes.

    In light of recent publicity regarding Canada’s close relationship with the US, particularly with regard to intelligence sharing for national security purposes, the EU’s position on PIPEDA could change in the near future. In 2014, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs called on the EU Commission to re-examine whether Canada provides adequate level of privacy protection. It appears such a review has not yet taken place. However, if the EU Commission deems PIPEDA as no longer adequate, the Canadian government will need to bring legislative reforms to ensure harmony with the European Data Protection Directive.

    After the Safe Harbor ruling, companies receiving or sending data across borders clearly have evolving legal obligations.