Last week, EDRM hosted a webinar on “Practical Options for US Litigators and Investigators Dealing with EU Data” featuring Dominic Jaar, KPMG, and Jo Sherman, EDT, regarding the October 2015 Court of Justice of the European Union (CJEU) decision Schrems v. Data Protection Commissioner of Ireland. [1]
This now infamous decision invalidates the Safe Harbour framework for data transfer from the EU to the US because it does not provide adequate protection for personal information. As a result of the CJEU decision, any transfer of personal data from the EU to the US that exclusively relies on the Safe Habour framework is now unlawful.
Canadian multinational companies that relied on Safe Habour to transfer personal data from the EU to the US, and Canadian businesses that host or process EU data with US servers, are all impacted. The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data released a statement that Standard Contractual Clauses and Binding Corporate Rules can still be used while a new intergovernmental agreement is being negotiated. It also stated that if no appropriate solution is found with the US authorities by the end of January 2016, EU data protection authorities will begin to take all necessary and appropriate actions, including enforcement actions.[2]
EU to Canada Data Transfers
Canada is considered a privacy safe jurisdiction. In December 2001, the EU commission found that The Personal Information Protection and Electronic Documents Act in Canada ensures an adequate level of protection for personal data.[3] Personal data can therefore be transferred from the EU to Canada. Although Bill C-51 may raise some concern over whether Canada continues to ensure an adequate level of privacy protection, it is worth noting that the new government has promised to make adjustments to the bill.
Currently, Canada has been deemed to have appropriate privacy safeguards and multinational companies are increasingly sending their data to Canada. American law firms are also increasingly conducting large scale document review projects in Canada for a number of reasons, including privacy issues and the current affordability due to the lower Canadian dollar.[4]
Heuristica Discovery Counsel is a boutique legal practice focused on electronic discovery, evidence management, and related litigation and legal services.
For more information:
Crystal O’Donnell: crystal@discoverycounsel.ca
Candice Chan-Glasgow: candice@discoverycounsel.ca
Disclaimer:
This article is made available by Heuristica Discovery Counsel Professional Corporation for educational purposes only as well as to give you general information and a general understanding of the law, not to provide legal advice. The article should not be used as a substitute for competent legal advice from a licensed lawyer in your jurisdiction.
[1] Schrems v. Data Protection Commissioner of Ireland, [2015] EUECJ C-362/14 < http://www.bailii.org/eu/cases/EUECJ/2015/C36214.html>.
[2] Statement of the Article 29 Working Party <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf>.
[3] 2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539) <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002D0002&qid=1415699250815>.
[4] This could raise immigration and tax issues for the American firms if they are bringing legal teams into Canada.