Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/654684
62 LEXPERT MAGAZINE | APRIL 2016 ment, then, the Privacy Shield is intended to protect the personal information of Eu- ropean Union citizens in accordance with EU standards in cases where the informa- tion is sent abroad for commercial pur- poses. To comply, US businesses will need to commit to certain obligations regarding the processing and protection of personal information. e Department of Com- merce and the Federal Trade Commission will enforce these commitments. As well, the US government has given as- surances that personal information of EU citizens that is transferred to the US will not be subject to mass surveillance pro- grams and that its use for national security and related purposes will be subject to cer- tain safeguards. e Shield also allows EU citizens who feel their rights have been breached to chan- nel complaints to the company involved. European data protection authorities may also refer complaints to the DOC and the FTC. Companies will have deadlines to reply to the complaints and unresolved complaints will be dealt with under certain free-of-charge dispute resolution mecha- nisms. Complaints about access by national intelligence authorities will be addressed to a dedicated US-based ombudsperson. "What the Shield has done is articulate some very specific principles that the EU wants to see in place as part of any safe har- bour agreements," Young says. "ey'll be particularly interested in concrete commit- ments from countries whose privacy regimes have the same issues that arose in Schrems." Canada may be one of these countries. "What a lot of people are concerned about is that if the Schrems type of analysis is applied to our federal legislation and to a lesser extent our existing provincial legisla- tion, the adequacy of our privacy laws could be in question," says Mark Hayes of Hayes eLaw LLP, a privacy, IP and technology boutique in Toronto. Although the European Commission determined in 2001 that Canada's Per- sonal Information Protection and Electronic Documents Act provides "adequate protec- tion" for data transferred from the EU, it could revisit that conclusion. Indeed, as Hayes points out, the ECJ did note that the level of protection ensured by countries outside the EU is liable to change and that "it is incumbent upon the [Data Protec- tion] Commissioner" to periodically check whether an earlier adequacy decision was still justified. e potential difficulty for Canada is that even a cursory check would reveal that our national security agencies have, broadly speaking, much the same authority as their US counterparts. Last year, a European Parliament committee produced a report on global cybersurveillance capabilities that concluded the systems were rough equivalents — and that was before the Pri- vacy Shield offered Europeans the comfort of an ombudsperson in matters of national security and a dispute resolution mecha- nism for other privacy complaints. Worst of all, perhaps, Canadian law does not even prohibit the transfer of data to countries lacking strong privacy regimes. "All we require is contractual arrange- ments ensuring that Canadian restrictions will be largely honoured by the entity that is receiving the data," Hayes says. e bright side is that the Canadian re- gime is generally held in very high regard by international authorities. So we won't be the first ones the Europeans look at. at could be little comfort for the un- prepared, however, when the EU – perhaps in the aerglow (or aermath?) of CETA's signing – decides to take a closer look at its new best trading friend. THE EU-US Privacy Shield announced early in February should be a call to arms for Canadian businesses that transfer data directly from the EU to the US or that re- ceive data anywhere that they ultimately transfer to the US. "e Privacy Shield is bringing us one step closer to an EU re-evaluation of the ad- equacy of Canada's privacy regimes," says David Young of David Young Law in To- ronto. "So Canadian companies should be examining the Shield to see how we can ap- ply its principles in the Canadian context." e Privacy Shield will replace the Safe Harbour Agreement between the EU and the US that the European Court of Justice (ECJ) invalidated last year in Schrems v. Data Protection Commissioner. e court ruled that a foreign privacy protection re- gime had to be "essentially equivalent" to the EU regime to qualify for the safe har- bour provisions that exempted its nationals from the EU's restrictions on data transfer. But the US, which lacks a comprehensive privacy protection regime, did not qualify primarily because national security, public interest and law enforcement policies there were so overriding as to deprive EU citizens of the privacy rights guaranteed by their own laws. Compounding the problem was the fact that US law provided no redress for adversely affected EU citizens. Like the original Safe Harbour Agree- Canada's privacy regime may be next in European Unions's push for better protection of its citizens' data EU-US conclude data agreement PHOTO: SHUTTERSTOCK | EU DATA | THE BORDER