US companies doing business in Europe can no longer rely on the EU-US Privacy Shield for transferring their European users’ data to the United States. The EU-US Privacy Shield, adopted in 2016, was a framework meant to regulate personal data transfers between the European Union (EU) and the United States of America. Many US companies indeed transfer their foreign users’ data to the United States, where they can be scrutinized by the US intelligence services; the Privacy Shield was meant to protect European users’ data from surveillance by the United States.
On July 16, 2020, in ruling C-311/18, the Court of Justice of the European Union (CJEU) overturned the decision of the European Commission to recognize adequate protection for the EU-US Privacy Shield. According to the United States Department of Commerce, more than 5300 enterprises were so far using the Privacy Shield. The main difference between the Privacy Shield and its predecessor the Safe Harbor was the establishment, under the former, of a US Privacy ombudsperson, whose function was to facilitate the processing of requests and to adjudicate complaints regarding the rectification or erasure of data. In its ruling, the CJEU concluded that the ombudsperson did not satisfy the requirement for independence and impartiality, mainly because his appointment can be revoked at the executive’s discretion.
Standard Contractual Clauses
Despite the CJEU’s ruling, Standard Contractual Clauses (SCC) “remain a valid tool for the transfer of personal data to processors established in third countries”. Issued by the European Commission, SCCs come in the form of two sets of standard contractual terms and conditions signed by the sender and the receiver of personal data, aimed at protecting personal data leaving the European Economic Area through contractual obligations, in compliance with the requirements set forth in the European General Data Protection Regulation (GDPR) on territories in which the protection of data subjects are considered inadequate. SCCs apply between the data exporter and the data importer, but do not bind the national authorities of a third country, which may require the data importer to make available the personal data to its security services; in this case where the level of protection required by EU law is not met, the data controller (i.e., the business or the entity which determines the purposes and means of the personal data processing) must suspend such data transfers. Since the CJEU’s ruling, it is still unclear how European and American companies could ensure that their SCCs to the United States would meet the standards of data protection under European law. The Privacy Shield’s repudiation highlights the importance for companies that were transferring data under this framework to ensure that said data on its European users remain protected under adequate contracts.
An Opportunity for Canada
The CJEU’s ruling should remind Canada of the need to update the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into force in 2000, and which provides a framework for the protection of personal information in the private sector. Quebec, British Columbia and Alberta have already started updating their own laws relating to the protection of personal data in the private sector; Quebec is inspired in this regard by the European GDPR. Several experts believe that the CJEU ruling represents an opportunity for Canada to become the safe place in North America for the processing of personal data.
For more information on international agreements and the potential impact of this decision on your company’s activities, do not hesitate to contact Bernard Colas or one of our other CMKZ lawyers specializing in international trade law.